SAML and Duo 2FA Part 3: Authentication and Assurance Overview Quiz

SAML and Duo 2FA Part 3: Authentication and Assurance Overview Quiz
Slide Note
Embed
Share

This content covers the implementation of SAML and Duo 2FA, authentication methods like ADFS and Shibboleth, and considerations for applications supporting various user groups and deployment scenarios. It emphasizes the importance of two-factor authentication and highlights the significance of authentication assurance levels. The content also touches upon the necessity of enhancing security measures beyond static passwords with 2FA options.

  • SAML
  • Duo 2FA
  • Authentication
  • ADFS
  • Shibboleth
randhawa_j
randhawa_j Follow

Uploaded on Mar 09, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. SAML and Duo 2FA Part 3 in the 2FA series

  2. Overview A pop quiz!!! Authentication and Assurance 2FA: Duo Security SAML: ADFS and Shibboleth Duo Access Gateway What authentication is right for you? Adding 2FA to your application: some examples

  3. A Bit About You

  4. Who manages an application that authenticates using: CAS? Shibboleth? ADFS?

  5. Does your application support: Students? Faculty? Staff? Users in more than one of these groups?

  6. Is your application: On premises? In the cloud? Locally developed?

  7. How many of you reuse passwords?

  8. Do you reuse a password on: 4 sites? 10 sites? So many sites you can t keep track?

  9. How many of you wear a seatbelt when driving or riding in a car?

  10. How many of you remember a time when seatbelts were considered unnecessary or inconvenient?

  11. Authentication and Assurance

  12. Authentication Assurance Proving that you are who you claim to be How confident are we with your proof?

  13. Two-factor Authentication Two-factor authentication (2FA) provides increased security beyond a static password 2FA Option Assurance Level High High Moderate-High Low-Moderate Low-Moderate Low Protects against: Duo Mobile app U2F token OTP token SMS Phone Call None (static password only) Phishing Re-used passwords that are compromised Duo Security has been selected as the university 2FA provider Self-serve enrollment and 2FA device management (https://uwaterloo.ca/2fa) Friday morning seminars: February 9, 2018 (https://uwaterloo.ca/it-professional-development-advisory-group/it-seminar-duo-two-factor- authenticaion-service) and June 1, 2018 (https://uwaterloo.ca/it-professional-development-advisory-group/it-seminar-duo-two-factor-sequel) 2FA Knowledge Base (https://uwaterloo.teamdynamix.com/TDClient/KB/?CategoryID=11579)

  14. SAML Security Assertion Markup Language An open standard for authentication and authorization data exchange A trust is established between the identity provider and the service provider (application) to allow authentication transactions to occur At login time, identity attributes can be asserted to the application, reducing the need for batch consumption of identity data

  15. CAS CAS simply provides a successful/unsuccessful authentication, with some support for SAML 1.1 attribute release Any application can make use of CAS authentication, without any configuration required in CAS CAS use on campus should be considered deprecated Plan to migrate applications to authenticate with ADFS (or Shibboleth)

  16. Shibboleth SAML 2.0 Not configured for SSO (1 minute session timeout on IdP) Doesn t provide 2FA integration Most extensive set of identity data for assertions Username (scoped or not), campus email address, given name, student number, HRID, nexus group membership, unique identity identifiers, affiliation (student, faculty, staff, alumni, etc.) Only supported during business hours

  17. ADFS SAML 2.0/WS-Federation Provides SSO (24 hour session) Can include login-time 2FA Currently can only assert identity attributes from Nexus, EDU Will soon be able to assert any of the identity attributes available to Shibboleth 1 global 2FA policy from Duo IST provides some off-hours support

  18. Duo Access Gateway Provides login-time 2FA with Shibboleth authentication A SAML proxy between IdP and Service Provider that can interject a 2FA challenge Mechanism to integrate Duo 2FA for applications that support SAML, but lack native 2FA support Allows custom 2FA policies per application

  19. Which Option is Right for You?

  20. ADFS or Shibboleth? Go with ADFS unless: You require identity attributes asserted that ADFS can t provide (use Shibboleth)

  21. Duo for [x], Duo ADFS, or Duo Access Gateway? If your application has delivered Duo integration, use that (Duo for OWA) If you want step-up Duo challenges, you need Duo integration with your app directly (Duo for [x] for some apps or the Auth API) If you have ADFS auth and the standard Duo policy is appropriate, use Duo ADFS If you have unique policy requirements: Purchased applications: use Duo Access Gateway Built applications: Using SAML auth: use Duo Access Gateway Otherwise: Auth API

  22. Adding 2FA to Your Application

  23. Web Applications ADFS/Shibboleth duo web Direct integration Additional Tools

  24. Using ADFS/Shib/Duo Auth Gateway Apache mod_auth_mellon, mod_shib (shibboleth only) PHP SimpleSAMLphp Django djangosaml2, django-saml-auth, python-saml Node.js saml2-js

  25. Duo Web Create a sign request Show iframe using JavaScript provided by Duo Verify response and proceed

  26. Duo Client and Auth API https://github.com/duosecurity Python JavaScript PHP Go C# Node.js Java Ruby Perl ColdFusion ASP.NET C

  27. Duo Client and Auth API Check if user is authorized to login (based on Duo settings/groups) and retrieve available devices Present user with selection from devices Authenticate with selected option

  28. Additional Tools A few tools that I have worked on for UW (Django specific tools) https://git.uwaterloo.ca/uw_django/duo_auth Library for quickly adding duo to your Django application @duo_required decorator for views https://git.uwaterloo.ca/uw_django/uw_saml_tools Library for working with SAML authentication in Django Sync NEXUS groups with Django groups on login More in the future as needed https://git.uwaterloo.ca/uw_django/uw_django_templates Not related to 2fa or SAML, but helpful for those using Django.

  29. Desktop Applications and Scripts SSH and/or Linux Desktop (duounix) Windows (Local Login or RDP) Mac OSX (Graphical Login only, for SSH, uses duounix) In house desktop application (use client and auth libraries, similar to web)

  30. Demo

  31. QUESTIONS? amward@uwaterloo.ca ryan.goggin@uwaterloo.ca

Related


Two-Step Authentication Implementation for Enhanced Security

Two-Step Authentication Implementation for Enhanced Security

lumina
Combined Assurance in Corporate Governance

Combined Assurance in Corporate Governance

eloisa
Implementing 2FA for UW Azure AD: Best Practices and Options

Implementing 2FA for UW Azure AD: Best Practices and Options

adlai
Security and Authentication in Electronic Filing Systems: Arkansas Subcommittee Report

Security and Authentication in Electronic Filing Systems: Arkansas Subcommittee Report

harri
SAML for Secure Single Sign-On

SAML for Secure Single Sign-On

amrutham
DAVA Drugs Authentication & Verification Application by National Informatics Centre

DAVA Drugs Authentication & Verification Application by National Informatics Centre

ruxt_322
Authentication Mechanisms and Security Vulnerabilities

Authentication Mechanisms and Security Vulnerabilities

lev_tre
Evolution of User Authentication Practices: Moving Beyond IP Filtering

Evolution of User Authentication Practices: Moving Beyond IP Filtering

rin_fi
Automated Purification System: KingFisher Flex & Duo

Automated Purification System: KingFisher Flex & Duo

onyin
Kerberos Authentication in Network Security

Kerberos Authentication in Network Security

pcapp
Secure Authentication Using ISO 15693 RFID Tags

Secure Authentication Using ISO 15693 RFID Tags

rtrez
Authentication and Authorization in Information Assurance

Authentication and Authorization in Information Assurance

zam_nus
Authentication and Message Authentication in Network Security

Authentication and Message Authentication in Network Security

lein_aye
Two-Factor Authentication for Enhanced Security

Two-Factor Authentication for Enhanced Security

kry_s
Proximity-Proof: Secure and Usable Mobile Two-Factor Authentication

Proximity-Proof: Secure and Usable Mobile Two-Factor Authentication

jazzlynn
Authentication in Networking Environments

Authentication in Networking Environments

bolander_j
Enhancing Security with Two-Factor Authentication (2FA) at University Library

Enhancing Security with Two-Factor Authentication (2FA) at University Library

shai_879
Anti-Shoulder Surfing based Authentication Mechanism using Graphical Passwords

Anti-Shoulder Surfing based Authentication Mechanism using Graphical Passwords

brne727
Authentication Overview: Definition and Means

Authentication Overview: Definition and Means

juliean
Creating Strong Passwords and Using Two-Factor Authentication

Creating Strong Passwords and Using Two-Factor Authentication

sudik
Introduction to Entity Authentication and Key Establishment Protocols

Introduction to Entity Authentication and Key Establishment Protocols

arkeem
The Whizz Quiz - Exciting Challenges for 5th and 6th Classes

The Whizz Quiz - Exciting Challenges for 5th and 6th Classes

jein678

More Related Content