Canonical SSO provider

Implement PAPE's multi-factor authentication policy

Bug #1064469 reported by Anthony Lenton on 2012-10-09

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical SSO provider	Confirmed	Medium	Unassigned

Bug Description

At the moment SSO can be configured to require 2fa per RP, for everybody or for certain teams.
But an RP (even a trusted one) can't ask SSO to require 2fa for a certain login using the multi-factor authentication policies specified on http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html

Currently, if you request multifactor- or physical-multifact-authentication SSO completely ignores these requests, and the OpenID authentication fails upon returning to the RP because it didn't include 2fa.

This would be one way to allow RPs to require 2fa for certain areas of a site, e.g. the admin interface, but not for other less privileged areas of the site.

Ricardo Kirkner (ricardokirkner) on 2012-10-09

Changed in canonical-identity-provider:
status:	New → Confirmed
importance:	Undecided → Medium

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.