-
Notifications
You must be signed in to change notification settings - Fork 25
Shibboleth IdP Setup
The IdP must be properly configured to support authentication via the ECP endpoint. For most setups using password authentication, this endpoint should work without additional configuration. Details on configuring ECP can be found here:
https://wiki.shibboleth.net/confluence/x/hAAzAQ
If an IdP session cookie corresponding to a valid non-expired session exists, the IdP will honor it and the user won't have to re-authenticate. For this to work, it's important that the IdP does the authentication rather than container-based or webserver-based authentication. If the IdP is allowed to do the authentication, it can skip authentication if it finds a valid session in a cookie. This won't work if authentication is performed before the IdP sees the request.
In order to use Duo two-factor authentication with your ECP endpoint, you need to install a third-party contribution in your IdP. The Shibboleth Project plans to add this functionality in the future. For now, the contributed code from the University of Maryland will provide this support.
The code can be downloaded or cloned from:
https://github.com/JohnPfeifer/duo-non-browser
Documentation can be found here:
https://github.com/JohnPfeifer/duo-non-browser/wiki
TODO Integrate this into the doc:
How to Use Shibboleth for Single Sign-On to the AWS Management Console https://aws.amazon.com/blogs/security/how-to-use-shibboleth-for-single-sign-on-to-the-aws-management-console