Google Authenticator for CAS and Shibb IdPs
Greg Haverkamp
gahaverkamp at lbl.gov
Tue Feb 18 18:09:42 EST 2020
On Tue, Feb 18, 2020 at 2:36 PM IAM David Bantz <dabantz at alaska.edu> wrote:
> From what I can tell, the Google Authenticator in Apereo CAS (https://apereo.github.io/cas/5.1.x/installation/GoogleAuthenticator-Authentication.html) makes CAS an MFA provider maintaining device registrations, secret keys, etc. (but not supporting PUSH AFAICT), so fundamentally different from Shibb Duo plugin.
>
> I'm asking for sanity check of my understanding, any updates on possible Authenticator/Shibboleth integration and additional considerations to inform management/executive decisions re SSO and MFA for Banner.
Google Authenticator is just an OATH token.
Somewhere, you need some place to store the token secrets, regardless
of which type of OATH client you use. It appears CAS will do that
with its own store.
Recently, another user on the list released his updates from a
somewhat long-lived TOTP module for Shibboleth:
https://github.com/joeFischetti/Shibboleth-IdP3-TOTP-Auth
Some small number of folks here use LinOTP or its privacyIDEA
derivative, with some examples of that
https://github.com/cyber-simon/idp-auth-linotp and
https://github.com/TheRealKingS/privacyIDEA-shibboleth-tfa
(My implementation is a heavily modified, over-complicated fork of the
cyber-simon module. I'd earlier written a simpler one, which I keep
intending to go back to.)
But I'll just note, as Scott did in the thread on Joe Fischetti's
contribution, the expense will come in maintaining your own system.
Duo had deficiencies at the time we were rolling ours out (and we
didn't qualify for the InCommon pricing), else we probably would have
gone that way and saved a lot of headaches over the years. (I just
had to push out a patch to our token reset script today, after we
realize that, due to growth in our user base, it could no longer
reliably find the most recent failed attempt in a single search.)
Then there's managing a custom UI, dealing with Android device clock
skew, etc.
Greg
>
> David Bantz
> UA OIT IAM
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list