Shibboleth Idp 4+ MFA: is Azure MFA possible? If so, how?

[Ray Bon]

Andrew,

I am currently looking in to Azure MFA with cas (we use cas for auth with shib).
As far as I can tell, from docs and Azure confg screens, Azure MFA is only for Azure authentication (not general purpose MFA). One must log into AAD to get access to Azure MFA (if anyone knows how to get around this, let me know). So users might see a second log in screen if you have another source of username/password.

The second issue is how to make MFA optional and what happens when the first Azure login does not use MFA? (If I understand cas correctly, it does not send the remote service to Azure, but the log in is to cas itself, as a SP. Shib may be different.)

The third issue, how to return acknowledgement of MFA to the remote service? This seems more challenging in cas. YMMV in shib.

(I know I am going on about cas here, but this will be my investigatory tasks for the next two days).

Ray

On Mon, 2020-11-16 at 12:34 +0000, Turner, Andrew P wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hi

I think you may have misunderstood (unless of course I have since I’ve not actually used it yet!).

My understanding of the flow is:


  *   an SP directs user to their Shib IdP (or they do IdP initiated auth)
  *   If the user doesn’t have a Shib session, the Shib IdP sends user to Azure AD for authentication purposes (inc MFA if applicable)
  *   Shib IdP receives authentication result
  *   Shib IdP sends SAML Response to SP

The Shib IdP is simply authenticating the user against Azure AD rather than traditional LDAP/others. The Shib IdP is acting like an SP to the Azure AD IdP.

I’m sure Overt can do a better job of explaining than I can though! 😊

I appreciate this isn’t a direct answer to Vincent’s problem (i.e. how to integrate Azure MFA directly in to Shib auth process), but it is an alternative way to do this probably worth consideration.

I really can’t say enough about how much value we’ve had from moving to using Overt’s hosted solution.  The dashboard makes so many tasks easier, they do any required upgrades and patches, they have developed it at zero cost based on my own feedback and their support has been excellent and often goes beyond what many others would provide for the same cost. By the way, I am in no way affiliated with them or get any incentives – I’m just a happy customer who already has way too many things to do and this saves me time 😊

Hope this helps

Andy

______________________________
Andrew Turner
Senior Infrastructure Analyst

Digital Technology Services
Sheffield Hallam University

From: users <users-bounces at shibboleth.net> On Behalf Of Joseph Fischetti
Sent: 16 November 2020 12:18
To: Shib Users <users at shibboleth.net>
Subject: Re: Shibboleth Idp 4+ MFA: is Azure MFA possible? If so, how?


CAUTION: This message was sent from outside the University, purportedly from users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> .

Please check the sender is legitimate before responding. Please treat any links or attachments with care -  do not follow or open them unless you are sure they are genuine.




In the scenario that Andy describes, Microsoft is still running your IdP, they're just delegating authentication to your shibboleth IdP.
This doesn't necessarily accomplish what the original poster was looking for. Any SP pointed to Shib will not be protected with MFA. Only those pointed to Azure will get MFA prompted.
At this point in time, I do believe Duo is the only turn key solution. I had developed a plugin (pre 4.0) so the IdP could do native TOTP MFA. It worked well, but with it comes all sorts of other token management issues you would have to deal with.
________________________________
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> on behalf of Turner, Andrew P <A.P.Turner at shu.ac.uk<mailto:A.P.Turner at shu.ac.uk>>
Sent: Monday, November 16, 2020 4:46:34 AM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: RE: Shibboleth Idp 4+ MFA: is Azure MFA possible? If so, how?


[EXTERNAL EMAIL]

Hi



We’re just rolling out Azure MFA and are in a similar situation to yourself.  We have Shibboleth doing lots of SSO and ADFS doing Azure AD/Office 365 + a growing number of other apps.



We took the decision a couple of years ago to go with Overt Software’s<https://www.overtsoftware.com/> hosted (though I think you can run on-prem too if you prefer) Shibboleth IdP for which they have a “bridge<https://www.overtsoftware.com/adfs-shibboleth-bridge/>” between Shib and Azure AD. This means you can point your Shib IdP at Azure AD for authentication, and hence benefit from Azure MFA.



They also have their own MFA solution that can be used with their IdP. If you went that route you could do the “bridging” the other way and use the Shib IdP to create a session on Azure AD for SSO to that too.



They also provide a great dashboard for reporting on and managing the config (and it integrates their MFA solution I think too). It’s also been very reasonably priced (for us at least) and I certainly wouldn’t go back to managing our own IdP installations.



We haven’t quite made the jump to use the bridge yet (as we don’t have consistent identities across the directory used by Shib and Azure AD) but we do plan to. I know at least one other Uni in the UK that have.



I’m sure other suppliers are also available 😊



Andy



______________________________

Andrew Turner

Senior Infrastructure Analyst



Digital Technology Services

Sheffield Hallam University



From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> On Behalf Of Vincent Feyaerts
Sent: 16 November 2020 08:25
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Shibboleth Idp 4+ MFA: is Azure MFA possible? If so, how?



Hi,



Currently we have a Shibboleth IdP 3.x running with Microsoft ADFS as slave for Microsoft Products like Office 365. We’re upgrading to Shib IdP 4 soon. Since we are an educational institution, I don’t think it’s realistic to have it reversed, where Shibboleth is the slave and ADFS is the master. We’ve done some extensive finetuning for SP’s that have special requirements, and we are part of a number of federations with their own requirements, I don’t think we can emulate that IdP behaviour with ADFS.



So now we are looking into MFA. Duo is, from a Shibboleth perspective, by far the easiest to implement. It’s already there. But since we use a lot of Microsoft products, Azure MFA has been mentioned as well. This question has been asked before, but this information is old, and to be honest, the answers are not 100% clear. So, is there any realistic approach to integrating Azure MFA with a Shibboleth 4 IdP? This would be custom code I guess, to be developed by somebody we pay. But does Azure MFA even expose an API these days to make that possible? And more importantly, can we assume that they will continue to provide this API? Is anyone looking to implement such a solution?



In the past I read somewhere the following statement: Microsoft doesn’t want to integrate with our IdP, they want to be your IdP :) Was that true? And is it still true? I think Azure MFA will probably integrate great with ADFS and therefore Office and Teams and whatnot, I’m worried about the other non-MS stuff.



Another, unrelated question: is there any timeline for the release of IdP 4.1?



Thank you

Vincent Feyaerts

Network administrator

University of Antwerp

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rbon at uvic.ca<mailto:rbon at uvic.ca>

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201116/ee891665/attachment.htm>