grouper-users - RE: [grouper-users] [Ext] Grouper UI default timeout in ITAP container
Subject: Grouper Users - Open Discussion List
List archive
- From: "Redman, Chad" <>
- To: "Hyzer, Chris" <>, "Black, Carey M." <>, Bryan Wooten <>, " Mailing List" <>
- Subject: RE: [grouper-users] [Ext] Grouper UI default timeout in ITAP container
- Date: Sat, 8 Jun 2019 20:13:24 +0000
We require MFA at the IDP for Grouper. There is a controlled set of applications requiring MFA: Grouper, ERP, Splunk, the Middleware wiki with sensitive information, etc., although more and more apps want to jump on board. The Duo login frame has an option to remember the authentication for 12 hours, so it's only something people need to do once per day.
There is definitely an advantage to keeping it in the IDP, as it simplifies configuration, plus centralizes logging and monitoring.
-Chad
From: [mailto:]
On Behalf Of Hyzer, Chris
I enjoy having the authn out of grouper, but if there consensus to do this we can prioritize it 😊 What do others think? Btw at penn we require two step at authn time, so if an app did it too, that would annoy users. But if it were only at certain crucial times that might be ok. I would prefer if we could redirect back to IdP or even an SP link to make this happen though, if that’s possible… otherwise, do we push, auto call, would be integrate the duo iframe? Seems dicey
From: Black, Carey M. <>
Chris,
You added that bit about my Jira just so I would not comment and add to the thread. Thank you. 😊 But you forgot to include the GRP link so others could “up vote” (current count = 0 ) or “comment on it” (current count = 0 ) too. ( So close, but I still get to comment! 😊 ) https://todos.internet2.edu/browse/GRP-2130
And a bit of an aside… ( but partially prompted by Bryan’s comments. )
What do you think about extending the Grouper Login process/application processes to support a “MFA step up” logic? I have been considered the idea of asking for MFA support directly in the Grouper application. It also prevents the “full impersonation of a user” to the application from the IdP. 😊 The notion that a full break of the IdP could be mitigated by an application that does MFA after the IdP was kicked around internally.
For some tools (security related, broad reach/range, etc…) that seems like a superior security design to require some Authentication factor in the application itself. Basically the app would only do “MFA” auth internally, but still use the IdP for the SSO “first auth”.) Grouper could use “local MFA” at login *and* at “important application events” to verify the user is still who they need to be. ( Fight unattended terminal problems and use before crucial changes are made in Grouper. ) It could add defenses to “Wheel”(or other special groups members actions), and “guard the gates” for approvals, workflows, attestations, template usage, etc… Maybe a kind of “SecurityHook” that could be enabled for “standard events”(via config) or coded and extended for any custom logic/events?
Bonus: ( likely beyond the vail of what anyone else would want to do… But it is an extended idea…) And if one was really paranoid then each app could choose to use their own “local” MFA instead of relying on a shared service (like Duo) too. (Obviously with added service over head/management/maintenance per app.)
Just a thought (kind of) on the topic.
-- Carey Matthew
From: <>
On Behalf Of Bryan Wooten
I agree with Chris 100%.
I think this is an institutional / policy issue.
So many meetings/questions re: timeout. CAS vs. Shib. vs. individual applications (Cloud / Peoplesoft / custom in house). Oh, and let’s add “remember me” and MFA. Sorry, let’s add password change policies to the mix.
Between CAS and Shib we have over 1000 servers and probably 1500+ applications, there is no way I can herd all those cats.
I get confused between my social/entertainment sites, my bank and work… We are all just users that want consistency. Or at least sanity.
-Bryan
From: <> on behalf of Chris Hyzer <>
WARNING: Stop. Think. Read. This is an external email. There are three timeouts at play in the Grouper UI with the ITAP container:
Ive had complaints about 30 min sessions being too short.
In my mind, the current configuration does not make sense. If the tomcat session dies in 30 minutes, the shib SP session will start another one (since active for 8 hours). But whatever the person was working on will be interrupted and a potential CSRF error will occur. I think the tomcat session should equal the shib SP session. If the shib/tomcat is 30 minutes, and the typical SSO/Idp session is >= 60 minutes, then again the user is disrupted of their session, they do not need to login, but might experience an error.
We discussed this on slack, and I recommend we change the *default* shibSP / tomcat timeout to 60 minutes. The 8 hour SP session lifetime should not change. In addition we will document how to overlay adjustments to the config.
Also, btw, Matt Black suggested in jira that we change the UI to show a message about session timeout (so you aren’t surprised the next time you click) which I agree with and we can see if we can get something simple to work before too long.
Let us know any thoughts about this change. 😊
Thanks! |
- [grouper-users] Grouper UI default timeout in ITAP container, Hyzer, Chris, 06/07/2019
- Re: [grouper-users] [Ext] Grouper UI default timeout in ITAP container, Bryan Wooten, 06/07/2019
- RE: [grouper-users] [Ext] Grouper UI default timeout in ITAP container, Black, Carey M., 06/08/2019
- RE: [grouper-users] [Ext] Grouper UI default timeout in ITAP container, Hyzer, Chris, 06/08/2019
- RE: [grouper-users] [Ext] Grouper UI default timeout in ITAP container, Redman, Chad, 06/08/2019
- RE: [grouper-users] [Ext] Grouper UI default timeout in ITAP container, Redman, Chad, 06/08/2019
- RE: [grouper-users] [Ext] Grouper UI default timeout in ITAP container, Hyzer, Chris, 06/08/2019
- RE: [grouper-users] [Ext] Grouper UI default timeout in ITAP container, Black, Carey M., 06/08/2019
- Re: [grouper-users] Grouper UI default timeout in ITAP container, Bill Thompson, 06/08/2019
- RE: [grouper-users] Grouper UI default timeout in ITAP container, Hyzer, Chris, 06/09/2019
- Re: [grouper-users] Grouper UI default timeout in ITAP container, Bill Thompson, 06/09/2019
- Re: [grouper-users] Grouper UI default timeout in ITAP container, Hyzer, Chris, 06/10/2019
- Re: [grouper-users] Grouper UI default timeout in ITAP container, Bill Thompson, 06/10/2019
- RE: [grouper-users] Grouper UI default timeout in ITAP container, Hyzer, Chris, 06/10/2019
- Re: [grouper-users] Grouper UI default timeout in ITAP container, Bill Thompson, 06/10/2019
- Re: [grouper-users] Grouper UI default timeout in ITAP container, Hyzer, Chris, 06/10/2019
- Re: [grouper-users] Grouper UI default timeout in ITAP container, Gettes, Michael, 06/10/2019
- Re: [grouper-users] Grouper UI default timeout in ITAP container, Bill Thompson, 06/10/2019
- RE: [grouper-users] Grouper UI default timeout in ITAP container, Hyzer, Chris, 06/10/2019
- Re: [grouper-users] Grouper UI default timeout in ITAP container, Bill Thompson, 06/10/2019
- Re: [grouper-users] Grouper UI default timeout in ITAP container, Bill Thompson, 06/09/2019
- RE: [grouper-users] Grouper UI default timeout in ITAP container, Hyzer, Chris, 06/09/2019
- Re: [grouper-users] [Ext] Grouper UI default timeout in ITAP container, Bryan Wooten, 06/07/2019
Archive powered by MHonArc 2.6.19.