1. Overview

The University of Vermont's evolving MFA implementation is provided as a reference architecture for inspection and critique. UVM has combined our three major authentication services (CAS, Shibboleth, and WebAuth) by using WebAuth's WebLogin interface for per-application, per-user-role, dynamic multi-factor authentication.

2. Authenticators

UVM's existing Kerberos and LDAP infrastructure investment along with a largely LAMP-based internal environment works well with Stanford WebAuth's kerberos-for-the-web like approach. WebAuth handles all authentications for directly consuming applications as well as authentications for CAS and Shibboleth which creates a centrally-manageable place to enforce and control multi-factor authentication.

2.1. WebAuth

A number of recent changes to WebAuth's WebLogin system allow per-application callbacks for user authentication to create or enforce the ownership of One Time Password (OTP) factor tokens, which provides an interface for MFA integrations. Beyond this capability, WebAuth provides a stable and feature-rich web authentication system.

2.1.1. UVM's WebLogin Screenshots
  • Here's the landing – the standard user:password form. You can load this in your browser by visiting one of UVM's WebAuth enabled sites – like http://wiki.uvm.edu.
  • The DuoSecurity OTP submission form. The form expands for each additional device enrolled.
  • The SecurID OTP submission form.
  • The Application ID form, or confirmation page to inform the user they are providing their identity to a new application.
  • The Application ID form with optional alternate or delegated identity.
  • The Logout form.
  • The Logout form with failed application logouts.
2.1.2. WebLogin Parts

WebLogin runs as a fcgi implemented in perl using TT for HTML. WebLogin integrates with OTP through an RPC-like callback interface to an application of your choice (http://webauth.stanford.edu/install-multifactor.html). We implemented our callback handlers in perl; the handlers are responsible for calling out to Duo's API or the RSA SecurID server.

2.2. Shibboleth

Our Shibboleth implemenation defers to WebAuth for authentication and is used where identity and attributes need to be controlled and released for applications.

2.3. CAS

We've integrated CAS – like Shibboleth it defers to WebAuth for authentication. Our consumption of CAS will shortly include our Luminis portal implementation and Blackboard.

3. Factors Integrated

We've integrated two additional factor types along with user passwords that can be centrally enforced or requested by an application.

3.1. RSA SecurID

This legacy token generator was implemented in the initial stages of our MFA development because it was capable of reusing our existing in-place SecurID implementation.

3.2. Duo Security

Our mobile device and personally-owned OTP generator integration has gone through Duo Security. We're quite pleased with the stability and performance. We expect to offer this factor integration to our community at large after finishing our current round of development to enable self-service of mobile device enrollment and management. We're currently using both the new Auth API and the Admin API.

4. Consumers

We'll be shortly rolling out MFA enforcement to our PeopleSoft environment, and plan to offer MFA as a free service to all UVM accounts in the near future.

5. Current and projected work

Our current work is focused on our mobile device and personal token generator enrollment and management self-service application with backups.

6. Request for Detail

We'd like to provide more detail within this document for interested parties. Please let us know where you'd like to see additional information. We'll do our best to keep this document up to date.

  • No labels

4 Comments

  1. trscavo@internet2.edu

    Nice overview. If you could provide more details about your enrollment and management applications, that would be helpful. Also, would it be possible to add some screen shots of the login interface? Thanks.

    1. bcodding@uvm.edu

      I sure can add more information about enrollment and management – what kind of information are you looking for? UI stuff, workflow, technical implementation? We are still doing development in this space.

      Screenshots of our login interface.. I can do that, though I am curious how they might be useful or important. Maybe you can educate me.

      1. trscavo@internet2.edu

        > I sure can add more information about enrollment and management – what
        > kind of information are you looking for? UI stuff, workflow, technical
        > implementation? We are still doing development in this space.

        Yes, we're still working out the details as well. I'll create a separate page so we can compare notes.

        > Screenshots of our login interface.. I can do that, though I am curious
        > how they might be useful or important.

        I'm sure you'll agree that user interface is all important. In any case, I'd be interested in knowing more about your Duo integration. Are you using the new Duo Auth API? If not, do you allow an OTP via SMS?

        1. bcodding@uvm.edu

          I've added some screenshots.

          Sure, I agree UI is important - but the problems in UI design are well-defined and understood. I've not been expecting UI discussions to be relevant or interesting to this project. Maybe I should reset my impression of the MFAC's scope of interest in the entire stack of technologies supporting MFA.

          *Also - yes, we're using the auth API and the admin API. I've added that above.