Main Nav

How are folks handling multiple authenticators in shib 2 and how are the multiple authenticators being presented to the user (the UI) when an app supports more than one authenticator?

Best Regards,
Mojgan
 
MOJGAN A. AMINI
Director of Middleware and Identity Management, ACT
University of California, San Diego

858-534-1023 (w) | 858-225-4037 (m)
mojgan@ucsd.edu

Comments

On 11/29/2012 10:25 AM, Amini, Mojgan wrote:
How are folks handling multiple authenticators in shib 2 and how are the multiple authenticators being presented to the user (the UI) when an app supports more than one authenticator?

Our Shib IdP supports both password authentication and two-factor (OTP token using Safeword Silver tokens) using a locally developed custom LoginHandler.

SPs can request two factor authentication by requesting a specific AuthnContextClassRef.  Doing so alters the user interface for the login page to display a token and give token-specific instructions.

Users can also use two-factor to log in if the SP does not request two-factor auth.  In that case, the standard login page is displayed.  If the password entered does not match their normal password, and their directory entry indicates they have an active token, and the password entered conforms to the two-factor format (six alphanums plus four numbers) then it is checked against our two-factor system as a token auth.

Either way, if the login is completed using a normal password, a standard (unspecified) AuthnContextClassRef is returned to the SP.  If it is completed using two-factor, our two-factor AuthnContextClassRef is returned.  An app that requires two-factor should check this value to ensure two-factor was actually used.

This configuration allows users with tokens to use them both for apps that require it and those that don't care (the vast majority), allowing for the option of increased security (say, if you're logging in on a computer you don't fully trust or to a wireless access point that may not be legit).
-- %% Christopher A. Bongaarts %% cab@umn.edu %% %% OIT - Identity Management %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %%