Main Nav

How are folks handling multiple authenticators in shib 2 and how are the multiple authenticators being presented to the user (the UI) when an app supports more than one authenticator?

Best Regards,
Mojgan
 
MOJGAN A. AMINI
Director of Middleware and Identity Management, ACT
University of California, San Diego

858-534-1023 (w) | 858-225-4037 (m)
mojgan@ucsd.edu

Comments

On 11/29/2012 10:25 AM, Amini, Mojgan wrote:
How are folks handling multiple authenticators in shib 2 and how are the multiple authenticators being presented to the user (the UI) when an app supports more than one authenticator?

Our Shib IdP supports both password authentication and two-factor (OTP token using Safeword Silver tokens) using a locally developed custom LoginHandler.

SPs can request two factor authentication by requesting a specific AuthnContextClassRef.  Doing so alters the user interface for the login page to display a token and give token-specific instructions.

Users can also use two-factor to log in if the SP does not request two-factor auth.  In that case, the standard login page is displayed.  If the password entered does not match their normal password, and their directory entry indicates they have an active token, and the password entered conforms to the two-factor format (six alphanums plus four numbers) then it is checked against our two-factor system as a token auth.

Either way, if the login is completed using a normal password, a standard (unspecified) AuthnContextClassRef is returned to the SP.  If it is completed using two-factor, our two-factor AuthnContextClassRef is returned.  An app that requires two-factor should check this value to ensure two-factor was actually used.

This configuration allows users with tokens to use them both for apps that require it and those that don't care (the vast majority), allowing for the option of increased security (say, if you're logging in on a computer you don't fully trust or to a wireless access point that may not be legit).
-- %% Christopher A. Bongaarts %% cab@umn.edu %% %% OIT - Identity Management %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %%
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.