Hey all,
everyone is top-posting; I'll try to answer inline
On Tue, 23 Apr 2019 at 18:08, Giuseppe De Marco
<giuseppe.demarco at unical.it> wrote:
I think that this is a great idea,
probably there would the need to configure also a selective policy, decide which IdP
needs MFA or, if MFA will be activated by default for every IdP, which of them will be
considered out from this policy.
If the MFA is already available IdP side this could be frustrating, so I think that it
could be a good Idea to put it in the proxy with selectables IdP
The IdP (or another service) will release the LoA information, but it
is a service that requires a certain LoA. Below, I describe the way we
map services to LoAs.
Il giorno mar 23 apr 2019 alle ore 16:07 Scott Koranda
<skoranda at gmail.com> ha scritto:
>
> Hi,
>
> I know it has been talked about as "doable", but has anybody already
> deployed SATOSA with a response microservice that implements a "step-up"
> flow to leverage a second factor (like Duo) when the authenticating IdP
> does not assert that MFA was used?
>
Yes. With eduTEAMS we have a micro-service which implements a mini-SP
with the purpose of connecting to an external service that will do the
"step-up". As Niels pointed out, we do this with the OpenConext Stepup
service[0] and we can assert a higher LoA using either Tiqr[1] or a
hardware authentication device like yubikey.
The configuration allows you to specify a complete pysaml2-based SP
configuration (just like the saml2 backend sp_config part), the
signature algorithm to be used (which will be part of pysaml2
configuration soon), an attribute whose value will be used as the
NameID value and a structure that maps SP-entity-ids to a minimum
required LoA and a list of LoAs that should also be accepted (higher
level than the required one).
When an authn-response is received the authn-context-class-ref and the
requester are checked against that list and if needed the current
state is saved and a new flow starts towards the Stepup service. When
the latter flow authn-response is received the new
authn-context-class-ref it is checked against the required LoA and
either an error is returned, or the state is restored, the LoA is
updated and the initial flow continues.
> If so, are you considering sharing it and/or
contributing it to the code
> base?
>
Yes, it should be made public. I should talk to Christos and set up a
public repo for this as others have asked for it. Do remind me if I
don't send out a response soon.
[0]:
https://openconext.org/stepup/
[1]:
https://tiqr.org/documentation/
Cheers,
--
Ivan c00kiemon5ter Kanakarakis >:3