Improve Authenticated User Experience

[kreynen]

The MVP requirements related to authentication for ODE were simply to require staff to use an authentication method that matched CU's password policies. Since these are often changing and vary between the campuses and system, the easiest way to do accomplish this was to inherit them from an SSO configuration that works for campuses or system.

After debugged the issues with simpleSAMLphp 1.19.0 and > with lax cookie policy changes in recent versions of Chrome and Chrome-based browsers and documented that at https://github.com/cu-uis/cu-starterkit-project/wiki/SAML-Configuration, the MVP requirement is met.

To manage multiple CU Starter Kit based sites at scale, we need to improve the experience for authenticated users.

• [ ] Update https://www.drupal.org/project/user_external_invite so it's fully functional in D9
• [ ] Fix logout configuration (this may just be a SAML service configuration issue)
• [ ] Add cron based logout to https://www.drupal.org/project/force_users_logout/issues/3199921
• [ ] Improve https://www.drupal.org/project/role_test_accounts or role our own version of that module
• [ ] Create custom module to replace Devel switch user functionality

These are all tasks that replace functionality that existed in the D7 version of Web Express in some shape or form. They would improve online.cu.edu, but aren't required.

[alexfinnarn]

Have you considered adding MFA (Multi-factor Authentication) to the authentication requirements? For Central Advancement, most applications have adopted MFA via Duo and at some point, I could see MFA being a requirement for all apps with users who log in.

I am exploring https://pantheon.io/docs/guides/two-factor-authentication, and I think it makes sense for CU to adopt the same "Time-based One-time Password Algorithm (TOTP) app" for all Drupal-based applications.

I'll crosslink my issue as I work on it, but it's in the private cu-giving and not public: https://github.com/CUCentralAdvancement/cu-giving/issues/205

[kreynen]

The 2FA/MFA with Duo doesn't require any changes to the SAML configuration in the consuming app. It just delays Ping from handing the authenticated users back to the app until the Duo step is complete. The decision to use Duo or not is made in the application's entry in the IdP (in our case Federated Ping).

I think this makes sense for Advancement when the metadata about recent donor transactions is store in the CMS. It seems like overkill for basic CMS edits, but since we are already using Duo for O365 now it probably makes sense to use just add it everywhere to stay consistent.