search

iits-consulting / otc-auth

Open Source CLI for the Open Telekom Cloud written in go.
GNU General Public License v3.0
44 stars 4 forks source link

Validate if SAML MFA works #5

Closed victorgetz closed 1 year ago

victorgetz commented 1 year ago

During our talk there was a question if we Support SAML MFA

jotabe87 commented 1 year ago

As far as I know the problem with MFA + SAML is that the flow is currently SP-initialized. We've tried to change it to be IdP-initialized, but we were stuck on some problems. In my experience we could:

  1. Try and see if the TOTP token can be sent through the current SP-initialized flow, similarly to what we do to username and password at the moment
  2. Try and change the flow to be IdP-initialized. This would then be similar to how the OIDC flow is implemented and the IdP would completely take care of MFA. This is also safer than currently sending Basic Auth through the SP-initiated request.