[eduVPN-deploy] Two-factor authentication per profile with shibboleth

Wenche Backman-Kamila wenche.backman-kamila at csc.fi
Fri Sep 25 16:21:09 CEST 2020 

Hi,

;-) No, probably not a very fair comparison...


I'll give it a try and see how far I'll get. 

In the config file, with:


    'idpList' => [
        'https://testidp.funet.fi/idp/shibboleth',
    ],

   
    'metadataList' => [
    //    'https://metadata.wayf.dk/wayf-metadata.xml' => ['wayf.dk.crt'],
    //    'https://metadata.surfconext.nl/idp-metadata.xml' => ['SURFconext-metadata-signer.pem'],
          'https://haka.funet.fi/metadata/haka_test_metadata_signed.xml' => ['/etc/pki/tls/certs/haka_testi_2018_sha2.crt'],
    ],


I get (using the test button):

500 - Internal Server Error

Error Message
    no metadata for IdP "https://testidp.funet.fi/idp/shibboleth" available


Any idea why? 

Thanks in advance.

Regards,

Wenche 

----- Original Message -----
From: "fkooman" <fkooman at tuxed.net>
To: "Wenche Backman-Kamila" <wenche.backman-kamila at csc.fi>, "eduvpn-deploy" <eduvpn-deploy at list.surfnet.nl>
Sent: Tuesday, 22 September, 2020 16:10:03
Subject: Re: [eduVPN-deploy] Two-factor authentication per profile with shibboleth

On 9/22/20 2:21 PM, Wenche Backman-Kamila via eduVPN-deploy wrote:
> Hi,

Hi Wenche!

> However, I do not see how I could enable two-factor authentication for 
> only one of the profiles - is this possible or not? (The authentication 
> takes place before the profiles are even displayed) Is the only possible 
> solution to have two servers - one for general access and one for 
> two-factor privileged access?

You cannot do that *per profile*, but you can do it in a different way, 
depending on how exactly your IdP implements 2FA.

> At present, I'm merely testing what is possible and what is not, but 
> separate profiles (one with username/password authentication and one 
> with two-factor authentication) is what our current AnyConnect solution 
> is configured for...

Assuming you are using a SAML attribute to determine who gets access to 
which profile, you can use the same attribute (value) to trigger 2FA 
once we know that user has that particular attribute value.

This is supported by php-saml-sp [1], search for 
"permissionAuthnContext", which is currently not officially supported 
yet, but an audit will be completed in October after which we'll release 
1.0.0 of php-saml-sp and officially support it.

See the documentation on how you could do this. The flow would look like 
this:

1. User goes to vpn.example.org;
2. User is redirected to IdP;
2. User authenticates using username/password;
3. User returns to vpn.example.org;
4. It is determined that user has e.g. attribute value 
"http://eduvpn.org/role/admin" as per example that requires 2FA;
5. User is redirected again to IdP, this time with required AuthnContext 
as part of the AuthnRequest;
6. User is asked just for 2nd factor (hopefully SSO works and not again 
asked for username+password!)
7. User returns to vpn.example.org authenticated + 2FA

This works in production in NL so far. It is not ideal, but I have no 
idea how to implement this better... If you have any ideas, please let 
me know :)

I'm assuming AnyConnect doesn't integrate with SAML, so that's not fair ;-)

Regards,
François

[1] https://github.com/eduvpn/documentation/blob/v2/PHP_SAML_SP.md

More information about the eduVPN-deploy mailing list