How 3. MFA integration with Shibboleth IdP today 4. Assurance & MFA Enhancements for Shibboleth 5. Multi-factor authentication in CAS today 6. Future CAS MFA support 7. Discussion and Questions Tuesday, June 4, 13
Unicon • IAM, Shibboleth, CAS, Internet2 Scalable Privacy • Technical Lead, Cooperative Support for Shib program • 36 years at University of Illinois prior to Unicon • Andrew Petro: Software Developer, 7 years at Unicon • IAM, CAS, Shib, CAS Cooperative Support • Technical Lead, Cooperative Support for CAS program • Jasig CAS committer, CAS work since before CAS 3 Tuesday, June 4, 13
the use of open source technologies • In business since 1993, helped hundreds of schools adopt open source solutions from Apereo • Implementation and development services • Unique maintenance program called "Open Source Support" that significantly contributes to the core community projects. This program is available for Sakai, uPortal, uMobile, CAS, Shibboleth, Grouper, and SSP. • Customized hosting and managed services for all of the above Tuesday, June 4, 13
a Google+ Hangout- On-Air that will be available on the Apereo YouTube channel (youtube.com/apereo) both live and recorded. • Will post slides to Lanyard page for session Tuesday, June 4, 13
• Cracking technologies • Password reuse and “weakest link” • Password policies are (too small) a bandage • Use cases for Higher Levels of Assurance Tuesday, June 4, 13
• Cracking technologies • Password reuse and “weakest link” • Password policies are (too small) a bandage • Use cases for Higher Levels of Assurance Growing understanding that passwords alone can't be fixed. No matter what strength, lifetime, use, protocol, etc. policies we put in place, and security & safeguards we implement. They are broken, and beyond effective repair. Tuesday, June 4, 13
But retrofitting current IdM & credentials to satisfy can be a lot of work • Start over (at least with credentials) and use MFA • Perhaps more affordable if only need for select people/roles today, and/or if we decide MFA is our general future anyways • Provides a potential start on “Gold” Tuesday, June 4, 13
the costs and advantages of using MFA? What are our use cases, plans, deployment strategies, support needs, etc.? • Internet2 Scalable Privacy MFA activities • MFA Pilot institutions • MFA Cohortium: https://spaces.internet2.edu/ display/mfacohortium Tuesday, June 4, 13
• Any access to this service • Opt-in for anyone • Integration into SSO framework would provide “big bank for the buck” Some possible deployment strategies: Tuesday, June 4, 13
MFA for any federated service, local or external • Limited support for MFA in Shibboleth today • Duo Security (phone-based plus) • For all authentications • On Demand • Yubico’s Yubikey recipe for Shib Tuesday, June 4, 13
Assurance and MFA Enhancements to Shibboleth Identity Provider • Shibboleth Identity Provider plugin to address the technical requirements outlined in Assurance Enhancements for the Shibboleth Identity Provider • Responses due May 31, 2013 • Code by end of August 2013, acceptance by December 1, 2013 Tuesday, June 4, 13
support one or more Authentication Contexts • IdM maintains Authn Contexts user eligible for • IdP tracks user’s eligible Authn Contexts that have been authenticated and which have not • SP is specifying the Authn Context it will accept Use cases that should be supported Assumptions: Tuesday, June 4, 13
Active Session 1.1. Option: Username/password first, then options which satisfy context and for which user is eligible 1.2. Option: Any supported authn method that satisfies 2. Active IdP session; Further authentication required 3. Active IdP session; SP sends a list of acceptable Authentication Contexts Use cases that should be supported Tuesday, June 4, 13
CAS server, • a higher-LOA CAS server • Only some users can log in to the higher LOA CAS server • Entails first logging in via normal CAS (first factor) • and a second credential (second factor) Tuesday, June 4, 13
3.5, out loud and in public, per successful response to Evergreen State RFP • Will cherry pick in backports of CAS 4 code as appropriate, of course • https://github.com/unicon/cas-mfa Tuesday, June 4, 13
LOA-aligned features along the lines of those intended in Shibboleth • Dovetail right into Evergreen effort? • Gotta love that GitHub. GitHub + open source license = radical openness. Tuesday, June 4, 13
rights reserved. • Microphone: http://www.flickr.com/photos/deanhp/3711222265/ cc-by • Composition books: http://www.flickr.com/photos/ 83251575@N04/7639841596 cc-by • Soap: http://www.flickr.com/photos/ 21222992@N00/353215962 cc-by-nc-sa • Benevocats (c) GitHub, all rights reserved, used only in reference to and to evoke the awesomeness of GitHub. Tuesday, June 4, 13