Azure MFA with Shibboleth

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Azure MFA with Shibboleth

sean_m_flannery
Hello,

This question is a bit broad but, does anyone have any experience using Shibboleth IDP with Azure ADFS and Azure MFA?

The last post I saw on this question was from about a year ago in the forums and it contained some conversations of people looking into it, but no one seemed to have any real experiences with it yet.

I'm finding a lot of info on Azure as an IDP and Azure with Shibboleth ADFS but nothing that specifically mentions how Azure MFA, which our org uses for webmail, would impact that design.

If anyone has any experience with that, and wether it does or does not work- I'd appreciate that feedback very much.

Best

J. Walter Thompson

This transmission is intended solely for the person or organization to whom it is addressed and it may contain privileged and confidential information. If you are not the intended recipient you should not copy, distribute or take any action in reliance on it. If you believe you received this transmission in error please notify the sender.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Azure MFA with Shibboleth

Peter Schober
* Sean Flannery <[hidden email]> [2018-06-28 19:45]:
> This question is a bit broad but, does anyone have any experience
> using Shibboleth IDP with Azure ADFS and Azure MFA?

Could you be more specific what exactly the connection between those
terms should be?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Azure MFA with Shibboleth

sean_m_flannery

> This question is a bit broad but, does anyone have any experience
> using Shibboleth IDP with Azure ADFS and Azure MFA?

 Could you be more specific what exactly the connection between those
terms should be?



Yes. Though, to be honest, I more know what I want and less how / if it can be done.  But, to add some detail:

1) most of our apps are protected by shibboleth SPs going against shibboleth IDP with LDAP as datasource. No MFA.

2) some of our apps are protected by shibboleth SPs going against cloud Azure-as-an-IDP. MFA works here and is provided by Azure.


We need to rollout MFA to the apps in group #1. 

We could just roll out #2 (Azure as IDP) to all the apps and achieve MFA coverage but Azure as IDP is a lot more restrictive than shibboleth IDP. For various reasons we greatly prefer shibboleth IDP.

But most our users are doing MFA in Azure for their webmail and they use the MS Authenticator app on their watch or phone and like it. 

So we would prefer to design something where we can use shibboleth as IDP (to keep IT happy) but Azure is --some how-- MFA provider (to keep users happy). That is essentially the ask: shib IDP with azure MFA.

As I think about it, I think we would less want to use ADFS which I think would be heading in the opposite  direction (Azure login deferring to shibboleth IDP) and more, if possible, setup a shibboleth IDP to use Azure as an external auth source where azure also provides MFA?

Hopefully this detail helps some and that I'm getting enough of the terminology right to explain.

Appreciate the time. Any suggestions would be appreciate.

Sean


From: users <[hidden email]> on behalf of Peter Schober <[hidden email]>
Sent: Thursday, June 28, 2018 2:01:45 PM
To: [hidden email]
Subject: Re: Azure MFA with Shibboleth
 
* Sean Flannery <[hidden email]> [2018-06-28 19:45]:
> This question is a bit broad but, does anyone have any experience
> using Shibboleth IDP with Azure ADFS and Azure MFA?

Could you be more specific what exactly the connection between those
terms should be?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Azure MFA with Shibboleth

Klingenstein, Nate

Sean,


The last time I investigated it was awhile ago when they were primarily using a product they acquired known as "Phonefactor".  I don't know how much things have evolved from there, but I couldn't even have a coherent conversation about integration.


At that time, I felt that they don't think of themselves as an independent second factor.  They think of themselves as your complete identity and authentication provider.  The idea of abstracting one of those factors away seemed totally foreign to their architectural vision.


It's been about 6 months since I had any meaningful conversations with them about this.


Thanks,

Nate.


From: users <[hidden email]> on behalf of Sean Flannery <[hidden email]>
Sent: Thursday, June 28, 2018 1:33:13 PM
To: [hidden email]
Subject: Re: Azure MFA with Shibboleth
 

> This question is a bit broad but, does anyone have any experience
> using Shibboleth IDP with Azure ADFS and Azure MFA?

 Could you be more specific what exactly the connection between those
terms should be?



Yes. Though, to be honest, I more know what I want and less how / if it can be done.  But, to add some detail:

1) most of our apps are protected by shibboleth SPs going against shibboleth IDP with LDAP as datasource. No MFA.

2) some of our apps are protected by shibboleth SPs going against cloud Azure-as-an-IDP. MFA works here and is provided by Azure.


We need to rollout MFA to the apps in group #1. 

We could just roll out #2 (Azure as IDP) to all the apps and achieve MFA coverage but Azure as IDP is a lot more restrictive than shibboleth IDP. For various reasons we greatly prefer shibboleth IDP.

But most our users are doing MFA in Azure for their webmail and they use the MS Authenticator app on their watch or phone and like it. 

So we would prefer to design something where we can use shibboleth as IDP (to keep IT happy) but Azure is --some how-- MFA provider (to keep users happy). That is essentially the ask: shib IDP with azure MFA.

As I think about it, I think we would less want to use ADFS which I think would be heading in the opposite  direction (Azure login deferring to shibboleth IDP) and more, if possible, setup a shibboleth IDP to use Azure as an external auth source where azure also provides MFA?

Hopefully this detail helps some and that I'm getting enough of the terminology right to explain.

Appreciate the time. Any suggestions would be appreciate.

Sean


From: users <[hidden email]> on behalf of Peter Schober <[hidden email]>
Sent: Thursday, June 28, 2018 2:01:45 PM
To: [hidden email]
Subject: Re: Azure MFA with Shibboleth
 
* Sean Flannery <[hidden email]> [2018-06-28 19:45]:
> This question is a bit broad but, does anyone have any experience
> using Shibboleth IDP with Azure ADFS and Azure MFA?

Could you be more specific what exactly the connection between those
terms should be?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Azure MFA with Shibboleth

Greg Haverkamp
In reply to this post by sean_m_flannery
On Thu, Jun 28, 2018 at 1:33 PM Sean Flannery <[hidden email]> wrote:

We could just roll out #2 (Azure as IDP) to all the apps and achieve MFA coverage but Azure as IDP is a lot more restrictive than shibboleth IDP. For various reasons we greatly prefer shibboleth IDP.

But most our users are doing MFA in Azure for their webmail and they use the MS Authenticator app on their watch or phone and like it. 

So we would prefer to design something where we can use shibboleth as IDP (to keep IT happy) but Azure is --some how-- MFA provider (to keep users happy). That is essentially the ask: shib IDP with azure MFA.

As I think about it, I think we would less want to use ADFS which I think would be heading in the opposite  direction (Azure login deferring to shibboleth IDP) and more, if possible, setup a shibboleth IDP to use Azure as an external auth source where azure also provides MFA?

Are both ADFS and the Shibboleth IdP using Azure AD as the directory?  One solution would be to authenticate Shibboleth with ADFS, with the Shibboleth IdP being an SP.

But you’d prefer to use the Shibboleth IdP as the primary IdP, there seem to be two options in the documtation.  There appears to be an on-prem option; I don’t know if that’s doable for you, but it has RADIUS and LDAP interfaces.  The latter could likely be used with a few modifications to the existing Shibboleth LDAP authentication modules.  (I thought I had seen where someone had done RADIUS at some point; maybe that was JAAS?). Alternatively, it looks like they have an API: 


Hopefully this detail helps some and that I'm getting enough of the terminology right to explain.

Appreciate the time. Any suggestions would be appreciate.

Sean


From: users <[hidden email]> on behalf of Peter Schober <[hidden email]>
Sent: Thursday, June 28, 2018 2:01:45 PM
To: [hidden email]
Subject: Re: Azure MFA with Shibboleth
 
* Sean Flannery <[hidden email]> [2018-06-28 19:45]:
> This question is a bit broad but, does anyone have any experience
> using Shibboleth IDP with Azure ADFS and Azure MFA?

Could you be more specific what exactly the connection between those
terms should be?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Azure MFA with Shibboleth

Michael A Grady
No, that SDK is going away, on that page you linked to is this:  

  "This feature will no longer be supported for new customers. Current customers can continue using the SDK until November 14, 2018. After that time, calls to the SDK will fail."

CAS 5 has a connector using that SDK, which won't be of much use later this year. :-)  It would appear that an on-prem Azure MFA gateway will be the only option.

On Jun 28, 2018, at 8:09 PM, Greg Haverkamp <[hidden email]> wrote:

The latter could likely be used with a few modifications to the existing Shibboleth LDAP authentication modules.  (I thought I had seen where someone had done RADIUS at some point; maybe that was JAAS?). Alternatively, it looks like they have an API: 

--
Michael A. Grady
IAM Architect, Unicon, Inc.




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

signature.asc (891 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Azure MFA with Shibboleth

Greg Haverkamp
On Thu, Jun 28, 2018 at 7:09 PM Michael A Grady <[hidden email]> wrote:
No, that SDK is going away, on that page you linked to is this:  

  "This feature will no longer be supported for new customers. Current customers can continue using the SDK until November 14, 2018. After that time, calls to the SDK will fail."


So, probably not worth integrating with the IdP, then.  :-) 

Greg

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Azure MFA with Shibboleth

Janusz Ulanowski
In reply to this post by sean_m_flannery
Hi,
You can do it by mixing with oidc.
1. when authn must happen on azure
  - setup apache-oidc and register app on azure
  - set default shibb auth (remoteuser)
2. when you have sso on azure to use your shibb for authn then:
   - the same as 1.
   - configure shibb to use Password authn for relying party (azure)

It worked for me
--
Janusz

On 28/06/18 18:45, Sean Flannery wrote:
Hello,

This question is a bit broad but, does anyone have any experience using Shibboleth IDP with Azure ADFS and Azure MFA?

The last post I saw on this question was from about a year ago in the forums and it contained some conversations of people looking into it, but no one seemed to have any real experiences with it yet.

I'm finding a lot of info on Azure as an IDP and Azure with Shibboleth ADFS but nothing that specifically mentions how Azure MFA, which our org uses for webmail, would impact that design.

If anyone has any experience with that, and wether it does or does not work- I'd appreciate that feedback very much.

Best

J. Walter Thompson

This transmission is intended solely for the person or organization to whom it is addressed and it may contain privileged and confidential information. If you are not the intended recipient you should not copy, distribute or take any action in reliance on it. If you believe you received this transmission in error please notify the sender.





--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Azure MFA with Shibboleth

sean_m_flannery

Thanks Janusz (and others for replying).

I'm not real familiar with OIDC but wouldn't that mean that sites currently protected by our shibboleth SPs would have to change to read their data via the oauth claims from OIDC (as opposed to reading it now via the saml assertions)? I don't consider that a huge change, but my group doesn't control all those sites so it would require coordination. 

I appreciate the time.




From: users <[hidden email]> on behalf of Janusz Ulanowski <[hidden email]>
Sent: Friday, June 29, 2018 5:44:50 AM
To: [hidden email]
Subject: Re: Azure MFA with Shibboleth
 
Hi,
You can do it by mixing with oidc.
1. when authn must happen on azure
  - setup apache-oidc and register app on azure
  - set default shibb auth (remoteuser)
2. when you have sso on azure to use your shibb for authn then:
   - the same as 1.
   - configure shibb to use Password authn for relying party (azure)

It worked for me
--
Janusz

On 28/06/18 18:45, Sean Flannery wrote:
Hello,

This question is a bit broad but, does anyone have any experience using Shibboleth IDP with Azure ADFS and Azure MFA?

The last post I saw on this question was from about a year ago in the forums and it contained some conversations of people looking into it, but no one seemed to have any real experiences with it yet.

I'm finding a lot of info on Azure as an IDP and Azure with Shibboleth ADFS but nothing that specifically mentions how Azure MFA, which our org uses for webmail, would impact that design.

If anyone has any experience with that, and wether it does or does not work- I'd appreciate that feedback very much.

Best

This transmission is intended solely for the person or organization to whom it is addressed and it may contain privileged and confidential information. If you are not the intended recipient you should not copy, distribute or take any action in reliance on it. If you believe you received this transmission in error please notify the sender.





--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Azure MFA with Shibboleth

Janusz Ulanowski

Hi,

You just protect  /idp/Authn/RemoteUser with oidc which will pass remote user to shibboleth.

<IfModule mod_auth_openidc.c>

  <Location /idp/Authn/RemoteUser>
       AuthType openid-connect
       # allow only for specified domain. here is sample for heanet.ie
       Require claim "unique_name~\w+\@example\.com$"
   </Location>
.....some other conf settings
OIDCRemoteUserClaim "unique_name"
# and so on
</IfModule>

-- 
Janusz


From: users <[hidden email]> on behalf of Sean Flannery <[hidden email]>
Sent: Friday 29 June 2018 22:37:29
To: [hidden email]
Subject: Re: Azure MFA with Shibboleth
 

Thanks Janusz (and others for replying).

I'm not real familiar with OIDC but wouldn't that mean that sites currently protected by our shibboleth SPs would have to change to read their data via the oauth claims from OIDC (as opposed to reading it now via the saml assertions)? I don't consider that a huge change, but my group doesn't control all those sites so it would require coordination. 

I appreciate the time.




From: users <[hidden email]> on behalf of Janusz Ulanowski <[hidden email]>
Sent: Friday, June 29, 2018 5:44:50 AM
To: [hidden email]
Subject: Re: Azure MFA with Shibboleth
 
Hi,
You can do it by mixing with oidc.
1. when authn must happen on azure
  - setup apache-oidc and register app on azure
  - set default shibb auth (remoteuser)
2. when you have sso on azure to use your shibb for authn then:
   - the same as 1.
   - configure shibb to use Password authn for relying party (azure)

It worked for me
--
Janusz

On 28/06/18 18:45, Sean Flannery wrote:
Hello,

This question is a bit broad but, does anyone have any experience using Shibboleth IDP with Azure ADFS and Azure MFA?

The last post I saw on this question was from about a year ago in the forums and it contained some conversations of people looking into it, but no one seemed to have any real experiences with it yet.

I'm finding a lot of info on Azure as an IDP and Azure with Shibboleth ADFS but nothing that specifically mentions how Azure MFA, which our org uses for webmail, would impact that design.

If anyone has any experience with that, and wether it does or does not work- I'd appreciate that feedback very much.

Best

This transmission is intended solely for the person or organization to whom it is addressed and it may contain privileged and confidential information. If you are not the intended recipient you should not copy, distribute or take any action in reliance on it. If you believe you received this transmission in error please notify the sender.





--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]