shibboleth-dev - Re: [Shib-Dev] [PATCH] Multi-factor authentication
Subject: Shibboleth Developers
List archive
- From: Fredrik Thulin <>
- To:
- Cc: Etienne Dysli <>
- Subject: Re: [Shib-Dev] [PATCH] Multi-factor authentication
- Date: Thu, 14 Apr 2011 19:40:44 +0200
On Thu, Apr 14, 2011 at 4:55 PM, Etienne Dysli
<>
wrote:
> On 27/01/11 20:55, Fredrik Thulin wrote:
>> What say you? All feedback welcome! Testers and collaborators even more so.
>
> Hi Fredrik,
>
> I've tried your module and it's nice. :) Here are some technical remarks.
Etienne, thank you very much for trying it out and reporting about the
experience.
>> handler.xml :
>> <!-- Multi factor authentication login handler -->
>> <ph:LoginHandler xsi:type="ph:MultiFactorAuth"
>
> Your patch says "ph:MultiFactor" but the right type is the one here
> "ph:MultiFactorAuth".
Sorry, I can't find this anywhere in my current sources which gets me
a bit worried - have you actually tried the first version that was a
patch to the IdP? The thread you replied in kind of indicates that.
Chad La Joie advised me to turn the patch into an extension instead,
which I did. The extension is much better documented (at
https://wiki.shibboleth.net/confluence/x/aYBC).
>> jaasConfigurationLocation="file:///local/shibboleth/idp/conf/login.config">
>
> Again your patch gives a different file name ("mf-login.config"). In my
> experience, this didn't work: the standard UsernamePassword LoginHandler
> would load it too (why?) and try to validate an OTP without having one
> (only 2 fields in the login form). I've worked around this by changing
> the jaasConfigName so that UsernamePassword and MultiFactorAuth don't
> use the same and having only one config file. Thus I have in login.config:
>
> ShibUserPassAuth {
> edu.vt.middleware.ldap.jaas.LdapLoginModule required
> ...
> };
>
> ShibMultiFactorAuth {
> edu.vt.middleware.ldap.jaas.LdapLoginModule required
> ...
>
> com.yubico.jaas.YubikeyLoginModule required
> ...
> };
Neat! That might be a better way to do it in general too - even more
so if it is the only way to actually use the standard UsernamePassword
login handler together with the MultiFactor one. Please update the
wiki page yourself if you want to.
>> /* second factor */
>> com.yubico.jaas.YubikeyLoginModule required
>> clientId="4711";
>
> Am I supposed to use this clientId? (it works, but...) If not, how can I
> get one?
You can get a unique id at https://upgrade.yubico.com/getapikey/ - it
is really only needed if you don't use HTTPS to connect to the
validation server.
/Fredrik
- Re: [Shib-Dev] [PATCH] Multi-factor authentication, Etienne Dysli, 04/14/2011
- Re: [Shib-Dev] [PATCH] Multi-factor authentication, Fredrik Thulin, 04/14/2011
- Re: [Shib-Dev] [PATCH] Multi-factor authentication, Etienne Dysli, 04/15/2011
- Re: [Shib-Dev] [PATCH] Multi-factor authentication, Fredrik Thulin, 04/15/2011
- Re: [Shib-Dev] [PATCH] Multi-factor authentication, Brent Putman, 04/15/2011
- Re: [Shib-Dev] [PATCH] Multi-factor authentication, Etienne Dysli, 04/18/2011
- Re: [Shib-Dev] [PATCH] Multi-factor authentication, Brent Putman, 04/18/2011
- Re: [Shib-Dev] [PATCH] Multi-factor authentication, Etienne Dysli, 04/18/2011
- Re: [Shib-Dev] [PATCH] Multi-factor authentication, Brent Putman, 04/18/2011
- Re: [Shib-Dev] [PATCH] Multi-factor authentication, Etienne Dysli, 04/18/2011
- Re: [Shib-Dev] [PATCH] Multi-factor authentication, Etienne Dysli, 04/15/2011
- Re: [Shib-Dev] [PATCH] Multi-factor authentication, Fredrik Thulin, 04/14/2011
Archive powered by MHonArc 2.6.16.