Zoom Logo

NIH Open Office Hour - Shared screen with speaker view
Stephen Burr
20:25
Stephen Burr, Executive Director of Enterprise Systems, University of Kentucky: I’m interested the scope of the MFA requirement, but not specifically through ADFS. We’ve implemented via Gluu, but we use ADFS for lots of other things. Specifically, is the requirement to implement MFA for all federated applications, or just for NIH?
Ann West
20:26
Here’s the REFEDs MFA Profile: https://refeds.org/profile/mfa
Mike Osterman
20:47
And is the assertion sent with the user attributes? Or is it some kind of global assertion?
Scott Cantor
21:28
The signaling in SAML relies on the RequestedAuthnContext and AuthnContext/AuthnContextClassRef elements in requests and assertions, not Attributes.
Josh Bright
21:46
Thanks Scott
Scott Cantor
21:54
The signaling Tom is referring to is communicating the defined class ref URI in the asserions and handling requests for it.
Ann West
22:03
Right now Stephen, the MFA Profile will be required for federated access to NIH. That said, there are quite a number of research service providers that are interested in it as well.
Mike Osterman
22:11
Thanks, @Scott.
Scott Cantor
22:16
The vast majority of non-open source IdPs cannot act compliantly in either way.
Albert Wu
24:35
ADFS Toolkit: http://adfstoolkit.org/content/
Albert Wu
25:18
https://wiki.refeds.org/pages/viewpage.action?pageId=38895671
Albert Wu
26:13
The REFEDS link points to an article explaining the issues
Josh Bright
26:59
jbright@wcu.edu Cirrus Support
Albert Wu
27:52
SATOSA: https://github.com/IdentityPython/SATOSA
Ann West
28:08
Identity provider as a service working group report: https://incommon.org/news/final-report-on-identity-provider-as-a-service-open-for-consultation/
Michael Brogan
28:10
We have ADFS in our infrastructure at the UW (for other reasons) and our ADFS admin was able to write a custom claim rule to set authnContextClassRef in the authn requests it makes to our Shibboleth IdP. I don't know if the same approach can be used to inject the right authnContextClassRef in authn responses it sends to SPs.
Cirrus Support
28:55
For those interested -- I can field further questions. Just email mark.rank@cirrusidentity.com . URL for product is https://www.cirrusidentity.com/products/bridge
Josh Bright
29:32
@michael brogan - I'm interested in that custom claim jbright@wcu.edu
Mary Ann Blair
30:27
is the compliance check toolsufficient for verifying readiness?
Michael Brogan
30:36
I can probably dig up that rule from our ADFS admins. Email me at mbrogan@uw.edu.
Michael Brogan
31:28
Related to ADFS custom claims rules for MFA: https://social.msdn.microsoft.com/Forums/vstudio/en-US/212b778f-d050-4d1a-b1e9-b204d8e7634b/adfs-20-is-there-a-way-to-configure-the-authncontextclassref-that-is-generated-in-the-saml?forum=Geneva
Jeff Erickson
31:56
jeff.erickson@nih.gov
Mike Osterman
33:25
Is there anyone here looking at this from a CAS IdP standpoint?
Ann West
39:26
Assured Access Working Group: https://internet2.zoom.us/j/96615320068
Tom Barton
40:06
Here's the AAWG link: https://spaces.at.internet2.edu/display/aawg/
Ann West
40:27
Oh Dang…Thanks Tom.
Ann West
44:04
REFEDS Assurance Framework can be found here: https://refeds.org/assurance
Albert Wu
44:22
And here is the NIST 800-63 Identity Assurance Guideline: https://pages.nist.gov/800-63-3/sp800-63a.html
Albert Wu
45:00
Section 4.7 of 800-63A summarizes the IAL requirements
Ann West
48:17
Local Enterprise - See definition in Appendix A of the REFEDS Assurance Framework above.
Kevin Ruderman
49:03
Is this Compliance Check link working : https://auth.nih.gov/CertAuthV3/forms/eRAcompliancecheck.aspx
Ann West
49:05
It aligns nicely to Baseline Expectations already in place for the InCommon community.
Kevin Ruderman
50:16
I got a "500 Internal sever error", am I broken or are they?
Scott Cantor
50:54
Worked for me.
Anthony Jones
51:18
I am getting a 500 as well
hiroki
52:43
this is my 500 errServer Error 500 - Internal server error. There is a problem with the resource you are looking for, and it cannot be displayed. :names:tc:SAML:2.0:status:Responder Sub-Status: urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext
Scott Cantor
53:03
That's your IdP refusing to handle their request for MFA via that context class.
Scott Cantor
53:31
(I doubt they mean for it to trigger a 500, but that's your IdP not supporting REFEDS MFA profile.)
Anthony Jones
55:26
I briefly see my IdP's splash page before getting a 500 error. I am never asked to authenticate but I get the same error
Michael Brogan
55:27
I get a 500 with "Exception: No identity provider was selected by user." after I pick the UW IdP off the list. Our IdP does support REFEDS MFA and the R&S attribute bundle.
Scott Cantor
56:14
You don't get a page because your IdP immediately knows that it doesn't understand the value being requested.
Albert Wu
56:58
@Scott is that a reply to Michael B’s comment?
Scott Cantor
57:05
No, Anthony's.
Scott Cantor
57:15
Michael's sounds to me like a browser glitch.
Tammar
57:21
ADFS with Duo support the remember me feature, ADFS can bypass 2FA if user is already authenticated to one of the apps.
JEFFREY CRAWFORD
58:30
Have to drop off
Amol
58:50
We do not support REFEDS Research & Scholarship. Do we need to have MFA on our Shib sso?
ryazanov
59:19
Elena of Boston College has a question
Mike Osterman
01:00:01
Different REFEDS value, I think?
Mike Osterman
01:00:18
Missing the MFA assertion?
Scott Cantor
01:00:25
"https://refeds.org/profile/mfa" is the AuthnContext class that's being used
Scott Cantor
01:00:39
Nothing to do with the assurance discussion, because MFA is orthogonal to identity assurance.
Mike Osterman
01:01:54
@Scott, is there a Shib min version requirement for this, or should config work on any supported IdP?
Mike Osterman
01:02:50
For configuring the REFES MFA AuthContext, that is?
Ann West
01:03:05
Here are some examples for configurations: https://wiki.refeds.org/pages/viewpage.action?pageId=50626893
Scott Cantor
01:03:09
Anything modern.
Scott Cantor
01:03:42
There's no practical/usable way to do MFA sanely prior to 3.3 though.
Mike Osterman
01:04:06
Should we pester the CAS-user list to get an example on here, Ann?
sandeep sathyaprasad
01:05:46
Please feel free to reach out to NIH at NIHLoginInternal <NIHLogin.Internal@mail.nih.gov> for any questions/issues regarding the compliance page testing process.
ryazanov
01:07:48
Elena Ryazanova Boston College Middleware SystemsWe have Shib IdP integrated with NetIQ Access Manager via idp.authn.flows=RemoteUserAuthentication step is performed by NAM we cannot identify which SP requested SAML session on Shib IdP side and whether DUO has been requested.DUO SAML server by NAM, InCOmmon ShibCould anyone with a similar setup where authorization step happens outside of Shib share their configuration details?
hiroki
01:10:13
is there any way to make it easier for the “birds of a feather” on this call with similar infrastructure to find each other to solve or commiserate as necessary?
Michael Brogan
01:11:15
My 500 error "no identity provider selected" has gone away, replaced with a green compliance checkmark.
Jeff Erickson
01:11:38
I've got to drop at 5.
Ann West
01:11:54
@Hiroki You can subscribe to the Assured Access Working Group email list: https://spaces.at.internet2.edu/display/aawg
Jeff Erickson
01:11:59
Thank you all for your help with this change.
Ann West
01:12:23
We will also be putting more information in our newsletter and in email as it becomes available.
Timothy Johnson
01:12:39
This is good information, thank you all. I have to run to another meeting.
Ann West
01:12:54
Thanks all for joining!
Mary Ann Blair
01:13:28
sorry. Jeff do you know when our users will be receiving the notice to check whether we are ready?
Mary Ann Blair
01:13:46
yes
Mary Ann Blair
01:13:54
ok thx