...
Numbered Headings | ||
---|---|---|
| ||
OverviewThe University of Vermont's evolving MFA implementation is provided as a reference architecture for inspection and critique. UVM has combined our three major authentication services (CAS, Shibboleth, and WebAuth) by using WebAuth's WebLogin interface for per-application, per-user-role, dynamic multi-factor authentication. AuthenticatorsUVM's existing Kerberos and LDAP infrastructure investment along with a largely LAMP-based internal environment works well with Stanford WebAuth's kerberos-for-the-web like approach. WebAuth handles all authentications for directly consuming applications as well as authentications for CAS and Shibboleth which creates a centrally-manageable place to enforce and control multi-factor authentication. WebAuthA number of recent changes to WebAuth's WebLogin system allow per-application callbacks for user authentication to create or enforce the ownership of One Time Password (OTP) factor tokens, which provides an interface for MFA integrations. Beyond this capability, WebAuth provides a stable and feature-rich web authentication system. UVM's WebLogin Screenshots
WebLogin PartsWebLogin runs as a fcgi implemented in perl using TT for HTML. WebLogin integrates with OTP through an RPC-like callback interface to an application of your choice (http://webauth.stanford.edu/install-multifactor.html). We implemented our callback handlers in perl; the handlers are responsible for calling out to Duo's API or the RSA SecurID server. ShibbolethOur Shibboleth implemenation defers to WebAuth for authentication and is used where identity and attributes need to be controlled and released for applications. CASWe've integrated CAS – like Shibboleth it defers to WebAuth for authentication. Our consumption of CAS will shortly include our Luminis portal implementation and Blackboard. Factors IntegratedWe've integrated two additional factor types along with user passwords that can be centrally enforced or requested by an application. RSA SecurIDThis legacy token generator was implemented in the initial stages of our MFA development because it was capable of reusing our existing in-place SecurID implementation. Duo SecurityOur mobile device and personally-owned OTP generator integration has gone through Duo Security. We're quite pleased with the stability and performance. We expect to offer this factor integration to our community at large after finishing our current round of development to enable self-service of mobile device enrollment and management. We're currently using both the new Auth API and the Admin API. ConsumersWe'll be shortly rolling out MFA enforcement to our PeopleSoft environment, and plan to offer MFA as a free service to all UVM accounts in the near future. Current and projected workOur current work is focused on our mobile device and personal token generator enrollment and mangement management self-service application with backups. Request for DetailWe'd like to provide more detail within this document for interested parties. Please let us know where you'd like to see additional information. We'll do our best to keep this document up to date. |
...