Versions Compared

Old Version 6

changes.mady.by.user bcodding@uvm.edu

Saved on

compared with

New Version Current

changes.mady.by.user Carina Susan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Numbered Headings
start-numbering-ath3

Overview

The University of Vermont's evolving MFA implementation is provided as a reference architecture for inspection and critique. UVM has combined our three major authentication services (CAS, Shibboleth, and WebAuth) by using WebAuth's WebLogin interface for per-application, per-user-role, dynamic multi-factor authentication.

Authenticators

UVM's existing Kerberos and LDAP infrastructure investment along with a largely LAMP-based internal environment works well with Stanford WebAuth's kerberos-for-the-web like approach. WebAuth handles all authentications for directly consuming applications as well as authentications for CAS and Shibboleth which creates a centrally-manageable place to enforce and control multi-factor authentication.

WebAuth

A number of recent changes to WebAuth's WebLogin system allow per-application callbacks for user authentication to create or enforce the ownership of One Time Password (OTP) factor tokens, which provides an interface for MFA integrations. Beyond this capability, WebAuth provides a stable and feature-rich web authentication system.

UVM's WebLogin Screenshots
  • Here's the landing – the standard user:password form. You can load this in your browser by visiting one of UVM's WebAuth enabled sites – like http://wiki.uvm.edu.
  • The DuoSecurity OTP submission form. The form expands for each additional device enrolled.
  • The SecurID OTP submission form.
  • The Application ID form, or confirmation page to inform the user they are providing their identity to a new application.
  • The Application ID form with optional alternate or delegated identity.
  • The Logout form.
  • The Logout form with failed application logouts.
WebLogin Parts

WebLogin runs as a fcgi implemented in perl using TT for HTML. WebLogin integrates with OTP through an RPC-like callback interface to an application of your choice (http://webauth.stanford.edu/install-multifactor.html). We implemented our callback handlers in perl; the handlers are responsible for calling out to Duo's API or the RSA SecurID server.

Shibboleth

Our Shibboleth implemenation defers to WebAuth for authentication and is used where identity and attributes need to be controlled and released for applications.

CAS

We've integrated CAS – like Shibboleth it defers to WebAuth for authentication. Our consumption of CAS will shortly include our Luminis portal implementation and Blackboard.

Factors Integrated

We've integrated two additional factor types along with user passwords that can be centrally enforced or requested by an application.

RSA SecurID

This legacy token generator was implemented in the initial stages of our MFA development because it was capable of reusing our existing in-place SecurID implementation.

Duo Security

Our mobile device and personally-owned OTP generator integration has gone through Duo Security. We're quite pleased with the stability and performance. We expect to offer this factor integration to our community at large after finishing our current round of development to enable self-service of mobile device enrollment and management. We're currently using both the new Auth API and the Admin API.

Consumers

We'll be shortly rolling out MFA enforcement to our PeopleSoft environment, and plan to offer MFA as a free service to all UVM accounts in the near future.

Current and projected work

Our current work is focused on our mobile device and personal token generator enrollment and mangement management self-service application with backups.

Request for Detail

We'd like to provide more detail within this document for interested parties. Please let us know where you'd like to see additional information. We'll do our best to keep this document up to date.

...