shibboleth-dev - Re: [Shib-Dev] Account lockout
Subject: Shibboleth Developers
List archive
- From: Christopher Bongaarts <>
- To:
- Subject: Re: [Shib-Dev] Account lockout
- Date: Wed, 23 Mar 2011 12:50:05 -0500
- Organization: University of Minnesota
Chad La Joie wrote:
If this is important behavior why isn't your IdM system doing that?
Because the IdM system doesn't have enough information about the request to be able to set the limitation (in our case, the client IP; all it has is the intermediary server). Otherwise it is trivial to mount widespread denial of service attacks.
What you describe is pretty much useless unless every single system is
doing it. And if every system isn't doing it, and thus the feature
isn't effective, why would you want it in the IdP?
As you note, all the "outward" facing systems need to provide this functionality or you leave yourself open to attacks. This is actually one of Shib's selling points: if you choose to do LDAP (e.g.) authentication, then your application needs to take responsibility for securing the credentials and implementing controls to minimize the risk of credential compromise. Or you could use Shib and just let us handle it.
On Wed, Mar 23, 2011 at 13:11, Christopher Bongaarts
<>
wrote:
Has anyone implemented an "attack lock" (X failed password attempts without
a success in Y minutes locks out further attempts for Z minutes) for the
IdP?
If not, would the StorageService be a good place to keep the necessary
state?
--
%% Christopher A. Bongaarts %%
%%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
--
%% Christopher A. Bongaarts %%
%%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
- [Shib-Dev] Account lockout, Christopher Bongaarts, 03/23/2011
- Re: [Shib-Dev] Account lockout, Andrew Petro, 03/23/2011
- Re: [Shib-Dev] Account lockout, Chad La Joie, 03/23/2011
- Re: [Shib-Dev] Account lockout, Christopher Bongaarts, 03/23/2011
- RE: [Shib-Dev] Account lockout, Dergenski, Todd A., 03/24/2011
Archive powered by MHonArc 2.6.16.