Shibboleth Developers

[Christopher Bongaarts <>]

Tom Scavo wrote:

> Since mod_authn_otp supports many token types (http://bit.ly/gTc5re),
> various soft tokens should work as well, including the Google
> Authenticator (http://bit.ly/9bP3Zb). This suggests it might be
> possible to add 2-factor SAML-based authentication to Google Apps.

Google doesn't care what authentication method you use, so if you have 
an IdP like ours that returns different AuthnContextClassRefs depending 
on whether 2-factor was used, people can use 2-factor (as I did when 
logging in this morning) but we cannot force its use.  Ideally, there 
would be some mechanism to, on a per-user or group basis, require a 
particular AuthnContext on the Google side.  I'm not going to hold my 
breath.

If one had an IdP that *only* did 2-factor, Google would happily accept 
that.  Nothing's stopping you from doing that today (perhaps with 
mod_authn_otp + the RemoteUser LoginHandler).

--
%%  Christopher A. Bongaarts   %%  

          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%