You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Participants

Proposers
NameOrganisation
Slavek Licehammer & Pavel BrousekCESNET
GN4-3 project team
NameOrganisationRole
Ondrej ErnstCESNETdev, TIM
Pavel BrousekCESNETmentor













Stakeholders
Name

Organisation

Role 
ChristosGEANTeduTEAMS
SaToSa community

SimpleSAMLphp community (Stefan Winter, Joost van Dijk)

Restena, SURFnet


Stakeholder engagements

#An overview of the meetings we had with stakeholders and a pointer to notes (if any)#

DateName(s)OrganisationNotes
























Activity overview

Description

WebAuthn​ (Web Authentication), part of the FIDO2 Project, is a web standard published by the W3C that enables strong authentication with public-key cryptography, passwordless authentication, and secure two-factor authentication. The standard defines a JavaScript API which allows token registration and subsequent authentication. The API is implemented in current versions of all major browsers (​ Edge 18+, Firefox 60+, Chrome 67+, Safari 13+, Opera 54+​ ) and is also backwards-compatible with (legacy) U2F tokens.

This activity implements or extends this API into existing open source community products

Activity goals

The goal of this activity is to contribute to the SimpleSAMLphp Webauthn module as well as to develop a new custom module for SATOSA to support 2FA using the WebAuthn API. Resulted modules would be integrated and tested in eduTEAMS (SATOSA) and ELIXIR AAI (SimpleSAMLphp).

Activity Details

Technical details

Authentication proxies translate between authentication protocols such as SAML2, OIDC, and OAuth2. A proxy receives authentication requests from SPs or RPs and relays them onto IdPs or OPs. If a service requires two-factor authentication, for example, using the REFEDS assurance framework, and the identity provider does not support it, the proxy may perform the second-factor authentication. Two significant open-source examples are SimpleSAMLphp which can serve as an authentication proxy and Python-based​ SATOSA which was explicitly developed as a proxy.

WebAuthn can be used for passwordless authentication or for second-factor authentication to increase users‘ security. As of October 2019, a​ module for SimpleSAMLphp​ is being developed to bring WebAuthn support.

Business case

The implementation of WebAuthN modules for SATOSA and SimpleSAMLphp would enable major parts of the T&I community to use state-of-the-art multi factor authentication without implementing something on their own.

Risks
  • First time a project was proposed and will be implemented by TIM → unknown outcome
  • WebAuthN is a very popular standard with a lot of ongoing activities. It might happen that someone works already on a similar project or publishes before the activity ends.


Data protection & Privacy

The product handles highly sensitive authentication data which provide access to user identities. High standards for coding, security and quality control are required.


Definition of Done (DoD)

This activity is done when:

  • A prototype of a WebAuthN module for SATOSA and SimpleSAMLphp is implemented
  • The prototypes are successfully tested with eduTEAMS and ELIXIER
  • The module are provided to the SATOSA/SimpleSAMLphp community


Sustainability

The modules will be submitted to the upstream repositories and later managed by the corresponding communities.

Activity Results

Results


Meetings

Date

Activity

Owner

Minutes

November 25, 2019

Stakeholder meeting



















Documents

No files shared here yet.



  • No labels