2019 Internet2 Global Summit

Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Stories from the Field: Multi-Factor Integration

Time 03/06/19 02:45PM-04:00PM

Room Capitol (M4)

Session Abstract

This session will look at two integrations using multifactor authentication. Indiana University will share its experience integrating SSO and two-factor with Salesforce. The Brazil National Research and Education Network (RNP) will share a complete open source solution to offer multi-factor authentication – based on the REFEDS MFA profile – for any Shibboleth Identity Provider.

Indiana University is one of the largest Salesforce higher education customers in the world, with 235 distinct business units relying on the tool across 9 campuses. In 2017, when IU transitioned to the use of two-factor authentication for all employees, it was presented with a challenge: while individual Salesforce products support single sign-on (SSO), integrated functionality between products sometimes do not.

This presented a significant security challenge that needed to be resolved: Salesforce is a significant repository of regulated data, include information protected by HIPAA and FERPA. If native authentication cannot be disabled, it would be difficult to align Salesforce with university data security policies and practices.

This session will lead participants through IU’s 18-month journey to find a way to resolve this challenge. Learn how multiple teams inside IU collaborated with an architect at Salesforce, third party consultants, and a myriad of Salesforce product owner to identify a simple, repeatable process that could also be leveraged by other colleges and universities using Salesforce.

In the other half of this session, you will learn about a project funded by RNP (the Brazilian NREN) – a complete open source solution to offer multi-factor authentication for any Shibboleth Identity Provider. The solution is based on MFA Profile standard, which guarantees the interoperability with current or future multi-factor authentication solutions.

Until 2017, there was not a standard way to offer multi-factor authentication with Shibboleth. Earlier trials on this subject were made by Multi-Context Broker (MCB) -- an extension to Shibboleth Identity Provider allowing it to handle multiple authentication methods; and Authentication Flow Selection -- an engine used to handle authentication requests on Identity Provider. However, both of them are not a comprehensive solution to offer multi-factor authentication, and both of them depends on third-party solutions like DUO Security.

The solution developed through the Brazilian RNP is based on the MFA Profile standard, which guarantees the interoperability with current or future multi-factor authentication solutions. The solution was designed to have low coupling with the IdP, to be user-friendly, flexible to the user and IdP administrators, and extensible, which allows new technologies to be used as extra authentication factors.

Currently, the solution has support to the follow 2FA technologies: One-Time Password (TOTP), WebAuthN, and Phone Prompt. A mobile application was also developed to act as a 2FA for Phone Prompt technology. This solution has been developed in the context of R&D project funded by RNP (Brazilian NREN).

Jacob Farmer, Indiana University
Michelle Wangham, University of Vale do Itajaí (Univali), Coordinator, RNP experimentation service for identity management


Speaker Jacob Farmer Indiana University

Speaker Michelle Wangham RNP (Rede Nacional De Ensino E Pesquisa)

Speaker Christopher Tompkins Indiana University

Presentation Media

Primary track Trust & Identity

platinum Sponsors

gold Sponsors