Google Authenticator for CAS and Shibb IdPs

Joseph Fischetti Joseph.Fischetti at
Thu Feb 20 15:20:44 EST 2020

It's really too bad there's too many different implementations of what
should be a relatively straightforward technology (wrt totp).  But the MFA
discussion includes more than just token authentication.

There's absolutely the need for an all-encompassing solution like Duo... and
as Scott pointed out, it costs because there's nothing straightforward about
rolling your own token enrollment/management/recovery/removal solution.

PrivacyIDEA is on my list of things to look at... but that list is long and
its position is low. 

I'm not sure whether the need is real from a community standpoint or not...
We should all be doing MFA, but I feel like the majority of deployers are
doing IdM (or IT?) part time.

-----Original Message-----
From: users <users-bounces at> On Behalf Of Peter Schober
Sent: Thursday, February 20, 2020 3:03 PM
To: users at
Subject: Re: Google Authenticator for CAS and Shibb IdPs


* Cantor, Scott <cantor.2 at> [2020-02-19 00:21]:
> > Independently, CISO hopes to require MFA for administrative access 
> > to Banner ERP, and hopes to do it without licensing Duo (purely cost 
> > consideration).
> That means operating a bulletproof device registration and management 
> portal and database, and that's a very big project, and is outside our 
> normal scope.

Seems to me privacyIDEA is the best current bet for that.  It would be great
if the integration code for the Shib IDP (those 2 more or less
un-/maintained forks of the linotp code) could be brought into shape to make
this a more streamlined exercise, supporting the latest Shib MFA integration
patterns (if that has not happened, yet).

(There also seems to be ongoing work for adding support for WebAuthn to
privacyIDEA[1][2], though I don't know how/whether the Shib IDP could be
using such tokens when registered by/at the privacyIDAE

Probably naively I'm thinking of some kind of pooling of resources of
intersted parties ("adding MFA to the IDP [without Duo]" comes up repeatedly
in several federations I know of) and paying someone to get that code into
shape and contribute it to NetKnights/privacyIDEA for maintenance, if
No idea whether the Shib Consortium could play any role here.


For Consortium Member technical support, see
To unsubscribe from this list send an email to
users-unsubscribe at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5561 bytes
Desc: not available
URL: <>

More information about the users mailing list