Shibboleth Developers

[Christopher Bongaarts <>]

Chad La Joie wrote:
> If this is important behavior why isn't your IdM system doing that?

Because the IdM system doesn't have enough information about the request 
to be able to set the limitation (in our case, the client IP; all it has 
is the intermediary server).  Otherwise it is trivial to mount 
widespread denial of service attacks.

> What you describe is pretty much useless unless every single system is
> doing it.  And if every system isn't doing it, and thus the feature
> isn't effective, why would you want it in the IdP?

As you note, all the "outward" facing systems need to provide this 
functionality or you leave yourself open to attacks.  This is actually 
one of Shib's selling points:  if you choose to do LDAP (e.g.) 
authentication, then your application needs to take responsibility for 
securing the credentials and implementing controls to  minimize the risk 
of credential compromise.  Or you could use Shib and just let us handle it.

> On Wed, Mar 23, 2011 at 13:11, Christopher Bongaarts 
> <>
>  wrote:
> > Has anyone implemented an "attack lock" (X failed password attempts without
> > a success in Y minutes locks out further attempts for Z minutes) for the
> > IdP?
> >
> > If not, would the StorageService be a good place to keep the necessary
> > state?
> > --
> > %%  Christopher A. Bongaarts   %%  
> >
> >           %%
> > %%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
> > %%  University of Minnesota    %%  +1 (612) 625-1809    %%


--
%%  Christopher A. Bongaarts   %%  

          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%