Google Authenticator for CAS and Shibb IdPs
Peter Schober
peter.schober at univie.ac.at
Thu Feb 20 15:02:54 EST 2020
* Cantor, Scott <cantor.2 at osu.edu> [2020-02-19 00:21]:
> > Independently, CISO hopes to require MFA for administrative access
> > to Banner ERP, and hopes to do it without licensing Duo (purely
> > cost consideration).
>
> That means operating a bulletproof device registration and
> management portal and database, and that's a very big project, and
> is outside our normal scope.
Seems to me privacyIDEA is the best current bet for that. It would be
great if the integration code for the Shib IDP (those 2 more or less
un-/maintained forks of the linotp code) could be brought into shape
to make this a more streamlined exercise, supporting the latest Shib
MFA integration patterns (if that has not happened, yet).
(There also seems to be ongoing work for adding support for WebAuthn
to privacyIDEA[1][2], though I don't know how/whether the Shib IDP
could be using such tokens when registered by/at the privacyIDAE
server.)
Probably naively I'm thinking of some kind of pooling of resources of
intersted parties ("adding MFA to the IDP [without Duo]" comes up
repeatedly in several federations I know of) and paying someone to get
that code into shape and contribute it to NetKnights/privacyIDEA for
maintenance, if possible.
No idea whether the Shib Consortium could play any role here.
-peter
[1] https://github.com/privacyidea/privacyidea/issues/1468
[2] https://github.com/privacyidea/privacyidea/pull/2013
More information about the users
mailing list