Google Authenticator for CAS and Shibb IdPs

Peter Schober peter.schober at
Thu Feb 20 15:02:54 EST 2020

* Cantor, Scott <cantor.2 at> [2020-02-19 00:21]:
> > Independently, CISO hopes to require MFA for administrative access
> > to Banner ERP, and hopes to do it without licensing Duo (purely
> > cost consideration).
> That means operating a bulletproof device registration and
> management portal and database, and that's a very big project, and
> is outside our normal scope.

Seems to me privacyIDEA is the best current bet for that.  It would be
great if the integration code for the Shib IDP (those 2 more or less
un-/maintained forks of the linotp code) could be brought into shape
to make this a more streamlined exercise, supporting the latest Shib
MFA integration patterns (if that has not happened, yet).

(There also seems to be ongoing work for adding support for WebAuthn
to privacyIDEA[1][2], though I don't know how/whether the Shib IDP
could be using such tokens when registered by/at the privacyIDAE

Probably naively I'm thinking of some kind of pooling of resources of
intersted parties ("adding MFA to the IDP [without Duo]" comes up
repeatedly in several federations I know of) and paying someone to get
that code into shape and contribute it to NetKnights/privacyIDEA for
maintenance, if possible.
No idea whether the Shib Consortium could play any role here.



More information about the users mailing list