Skip to Content.
Sympa Menu

mfa-interop - Re: [MFA-Interop] Fwd:Response from Jim Basney on behalf of CILogon

Subject: MFA Interop Working Group

List archive

Re: [MFA-Interop] Fwd:Response from Jim Basney on behalf of CILogon


Chronological Thread 
  • From: David Walker <>
  • To: <>
  • Subject: Re: [MFA-Interop] Fwd:Response from Jim Basney on behalf of CILogon
  • Date: Fri, 29 Apr 2016 12:15:39 -0700
  • Authentication-results: incommon.org; dkim=none (message not signed) header.d=none;incommon.org; dmarc=none action=none header.from=internet2.edu;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:23
Good news form Jim!  Thanks, Mike.

David


On 04/29/2016 11:50 AM, Michael A Grady wrote:
FYI

Begin forwarded message:

From: "Basney, Jim" <>
Subject: Re: [refeds] The MFA Interoperability Profile Working Group requests comments by May 16
Date: April 29, 2016 at 1:22:24 PM CDT
To: Michael A Grady <>
Cc: David Walker <>

Hi Mike,

 - Do you see possible connections of this work to the CILogon service? 

Yes, if IdPs can signal to CILogon that MFA was performed, CILogon can issue an X.509 certificate that will be accepted by https://bluewaters.ncsa.illinois.edu/blue-waters.

 - Is the proposed MFA profile "good enough" for any use cases for the CILogon service and the cyberinfrastructure resources that leverage it?

Yes.

 - Are there changes/clarifications that you think would need to be made for it to useful for the CILogon service?

Please reconsider the following:

The group did not think exposing “compliance” with the MFA Profile through the SAML metadata was helpful because no existing SP/IdP software is capable of leveraging such information to influence its use of the MFA profile.

As we learned with Silver interoperability testing, we need metadata to tell us whether the IdP can correctly respond to requests for http://id.incommon.org/assurance/mfa. Otherwise, our SP(s) can't confidently request it for fear that InCommon/eduGAIN IdPs will fail badly.

 - Are there any concrete ways the CILogon service might leverage it in the "not-too-distant" future?

Yes, for Blue Waters. Also the soon-to-be-registered NCSA IdP, which uses RSA SecureID authentication, will be able to assert it.

Regards,
Jim


Begin forwarded message:

From: David Walker <>
Subject: [refeds] The MFA Interoperability Profile Working Group requests comments by May 16
Date: April 21, 2016 at 4:14:54 PM CDT
To: <>
Reply-To: <>

For those of you who have an interest in multifactor authentication, but may not have seen Monday's TIER release announcement, InCommon's MFA Interoperability Profile Working Group, which is completing "...an interoperability profile to allow the community to leverage MFA provided by an InCommon Identity Provider by allowing SPs to rely on a standard syntax and semantics regarding MFA,"  has asked that comments on its draft profiles and other documents be sent to .  Please take a look and weigh in on the conversation.  Comments are open until May 16, 2016.

David Walker


--
Michael A. Grady
IAM Architect, Unicon, Inc.


Attachment: signature.asc
Description: OpenPGP digital signature


Archive powered by MHonArc 2.6.16.

Top of Page