Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID


Lessons Learned From Multi-Factor Integration at Upcoming Global Summit 2019

Feb 18, 2019, by Sara Aly
Tags: Frontpage News, Higher Education, Identity Federation, Latin America and Caribbean Research and Education Community, North American Research and Education Community, Research & Education Networks, SAML-Based Authentication, Shibboleth

By Jacob Farmer and Chris Tompkins, Indiana University; and Michelle Wangham, University of Vale do Itajaí (UNIVALI)

Multi-factor authentication (MFA) is growing in adoption among the national and international research and education communities. Institutions are deploying MFA in an effort to protect critical systems and data from being breached due to a phished password. The implementation of MFA can be a daunting task – how can you tell what the right solution is for your organization? Who should you involve in the implementation process? How long will the process take?

At Indiana University (IU), we completed integrating single sign-on (SSO) and two-factor authentication with Salesforce. In 2017, when IU transitioned to the use of two-factor authentication for all employees, it was presented with a challenge: while individual Salesforce products support SSO, integrated functionality between products sometimes do not. This presented a significant security challenge that needed to be resolved. Salesforce is a significant repository of regulated data that include information protected by HIPAA and FERPA. If native authentication cannot be disabled, it would be difficult to align Salesforce with university data security policies and practices. The success of this project is a testament of how federated authentication barriers can be overcome given enough creativity and motivation.

At the Brazil National Research and Education Network (RNP), we developed and implemented an open source MFA solution based on the REFEDS MFA profile for Shibboleth Identity Provider. This profile defines requirements that an authentication event must meet in order to communicate the usage of MFA. It also defines a SAML authentication context for expressing this in SAML. This solution was developed by RNP in an R&D project and supports the following two-factor authentication technologies: One-Time Password (TOTP), WebAuthN (FIDO 2), and Phone Prompt.

We encourage you to attend the 2019 Global Summit session Stories from the Field: Multi-Factor Integration on Wednesday, March 6 at 2:45 p.m. to learn more about our respective institutional journey with MFA integration.