DRAFT - Barely under Construction...
The Multi-Context Broker
The Multi-Context Broker (MCB) is an extension to Shibboleth that improves Shibboleth's handling of multiple authentication methods, including multi-factor authentication, as well as multiple authentication contexts and assurance profiles. This document contains information about the MCB, what it can be used for, and how it is installed and configured.
For a quick overview of the MCB and what it does, please see [this demonstration] [TBD]. Read on for more detailed information.
Why Did We Create the Multi-Context Broker?
During 2012, the InCommon Assurance Program explored implementation issues of assurance, most notably with CI Logon, National Institutions of Health and the Department of Education. The latter two organizations are required to follow the Federal Identity Credential and Access Management committee’s SAML2 Web SSO Profile for requesting Authentication Contexts (e.g., assurance profiles). CI Logon, run by NCSA, has more flexibility in its requirements.
While testing, campus implementers identified the following issues, as of version 2.4 of the Shibboleth IdP:
- If a user used her password to log in as a Bronze authnContext, she had to use the same password to re-login for Silver. Shibboleth does not know that the same authentication method is used for both Bronze and Silver, forcing re-authentication, even when a previous context’s authentication would suffice.
- If a user logs in with his password, accesses a Silver-service, but has forgotten his hardware token required to assert the Silver Authentication Context, he cannot decide to accept a lower level of service by telling the IdP to go ahead and assert Bronze on his behalf. The login handler doesn’t support such multi-factor use cases well.
If an SP passed a list of Authentication Contexts (e.g., [Silver, Bronze, unspecified]) with the intent of having the IdP provide the highest possible Context for the user, the IdP would not process the list in a prioritized fashion, resulting in a Bronze Context sent one time, Silver another, and unspecified as well.
In January of 2013, InCommon convened the group described in the Acknowledgements section to share their testing experiences to date and assist in the development of a requirements document for an initial set of enhancements to the Shibboleth IdP to address these issues that could be 1) delivered to the Shibboleth Consortium for consideration in future IdP release and 2) used as a basis for an RFP to develop a short term solution for campuses interested in implementing assurance over-the-wire.
In summary, the testing group saw two primary SP use cases:
- The SP requests a specific Authentication Context, like Silver.
The SP requests one of a set of Authentication Contexts, in priority order (e.g., [Silver, Bronze]), that are required for different levels of service. The IdP presents a choice of authentication methods that will satisfy the request and for which the user is eligible, and returns the selected Context to the SP upon successful authentication. The SP then tailors the service provided accordingly.
In addition, the diversity in HIgher Education IdP implementations and the supporting identity management and authentication systems, suggests a certain level of configurability and flexibility in how the Shibboleth IdP supports the bullets above. To support the Silver Identity Assurance profile, an organization may determine that bringing its password infrastructure into compliance is a viable option, where another may layer on a multi-factor solution and bypass the complexity and scope of the current password infrastructure. The solution must be able to manage the use of multiple authentication systems, contexts in which they are required, and the user’s ability to control their authentication method when multiple options exist.
What Can the Multi-Context Broker Do?
- Brief writeup of MCB concepts and what it can do from the Identity Week presentation and the RFP.
Where Do I Get the Multi-Context Broker?
How Do I Configure the Multi-Context Broker?
- Configuration examples from acceptance testers