Google Authenticator for CAS and Shibb IdPs
peter.schober at univie.ac.at
Thu Feb 20 15:02:54 EST 2020
* Cantor, Scott <cantor.2 at osu.edu> [2020-02-19 00:21]:
> > Independently, CISO hopes to require MFA for administrative access
> > to Banner ERP, and hopes to do it without licensing Duo (purely
> > cost consideration).
> That means operating a bulletproof device registration and
> management portal and database, and that's a very big project, and
> is outside our normal scope.
Seems to me privacyIDEA is the best current bet for that. It would be
great if the integration code for the Shib IDP (those 2 more or less
un-/maintained forks of the linotp code) could be brought into shape
to make this a more streamlined exercise, supporting the latest Shib
MFA integration patterns (if that has not happened, yet).
(There also seems to be ongoing work for adding support for WebAuthn
to privacyIDEA, though I don't know how/whether the Shib IDP
could be using such tokens when registered by/at the privacyIDAE
Probably naively I'm thinking of some kind of pooling of resources of
intersted parties ("adding MFA to the IDP [without Duo]" comes up
repeatedly in several federations I know of) and paying someone to get
that code into shape and contribute it to NetKnights/privacyIDEA for
maintenance, if possible.
No idea whether the Shib Consortium could play any role here.
More information about the users