Deep Dive Topic: Using Two-Step Login with Shibboleth SSO

This article explains how to use Duo as a second-factor of authentication when logging into services that use Shibboleth Single Sign-On (SSO).

Overview

This article explains how to use Duo as a second-factor of authentication when logging into services that use Shibboleth Single Sign-On (SSO).

Its intended audience is IT staff and power users comfortable with the concept of cookies.

The "Two-Step Login with Shibboleth SSO" service includes use of both a password and a second-factor of authentication when accessing Shibboleth SSO services, providing additional protection to your online identity. The service is applied by-user and not by-service. Once a user is enrolled, they will rely on the Duo second-factor authentication for all Shibboleth service provider sites they visit.

Information

Enrollment

The service is being rolled out to select faculty and staff. If you have interest in using the service or other related questions, please email IS.IDS@uoregon.edu

Authentication Flow

When you access Shibboleth service providers you will continue to be presented with the username and password request window as shown below:

Image Description:  This image shows the the white-on-green "University of Oregon" text located on the top.  Below this is the black-on-yellow "Login Required" text.  Below this, the window has a field to capture "Username" and a field to capture "Password".  Below these is a white-on-green text "Login" button used to submit your credentials.

Image Description:  This image above shows the the white-on-green "University of Oregon" text located on the top.  Below this is the black-on-yellow "Login Required" text.  Below this, the window has a field to capture "Username" and a field to capture "Password".  Below these is a white-on-green text "Login" button used to submit your credentials.

Once you log in successfully with your credentials, you will be presented with the Duo screen as shown below:

Image Description:  This image above shows the the white-on-green "University of Oregon" text located on the top of the window. Below this is the black-on-yellow "Login Required" text.  Below this, the Duo selection box allows the user to select the Duo second factor "Device" they would like to use and "Choose an authentication method", including "Send Me a Push", "Call Me", and "Enter a Passcode". At the bottom of the Duo selection box is a "Remember me for 7 days" check box.

The second window allows you to pick the Duo device you would like to use for the second factor. This can be any of the devices you have registered using the Duck ID site. More information on registering devices can be found here:  Two-Step Login Device Registration and Management

At the bottom of this window is a check box, optionally allowing Duo to remember you for the next seven days.  If you check this box, you will not be prompted to provide your second factor during that time.

If you are automatically sent a push when you get to this new Duo screen and are not allowed to select the "Remember me for 7 days" option, this is because you've enabled auto-push on your Duo second-factor device. Log into the the Duck ID registration site, and go to the "My Settings and Devices Window" as shown on the Two-Step Login Device Registration and Management page. For your device, change the "When I log in" drop-down option from "Automatically send this device a Duo push" to the alternative "Ask me to choose an authentication method".

If you are presented with the message "You need to enable cookies in order to remember this device" when you select the "Remember me for 7 days" box, you need to go into your browser settings and allow cookies and cross-site tracking.

Shibboleth Cookie

To allow for single sign-on, a cookie is stored in your web browser when you authenticate with Shibboleth. This cookie is set to expire after thirty consecutive minutes of non-use or one hour after creation, whichever comes first. The cookie is used when you visit subsequent service providers that rely on Shibboleth authentication. Shibboleth confirms your identity by the existence of the active cookie instead of prompting you to re-enter your credentials.  These basic Shibboleth SSO settings have not been changed for the Shibboleth with Duo pilot.

Duo Cookie

Duo also uses a cookie in your browser to remember when you have last successfully authenticated with Duo. When you select the "Remember me for 7 days" check box, described in the above Authentication Flow section, a cookie is stored in your web browser with an expiration date of seven days into the future. Subsequent authentication attempts from the same browser will automatically log you into the service without prompting you for the Duo second-factor of authentication prior to the cookie's expiration.

Cookie Jars

Your web browser has a public and private space, each with its own cookie jar. The Shibboleth and Duo cookies are stored in the cookie jar of the space you are using at the time of authentication. If you subsequently move to a different container space or different browser you will be required to sign-in again with Shibboleth and Duo.  

Let's examine the case wherein you have the following four browsers all running at the same time:  Chrome browser window, Chrome Incognito browser window, Firefox browser window, and Firefox Private browser window. If you log into Confluence, authenticating into Shibboleth and Duo, while using your Firefox browser window, the cookies will be stored in the Firefox public cookie jar and you will experience single-sign on when subsequently visiting other Shibboleth service providers using the same Firefox browser window. You will not experience single-sign on in the other three browser windows until authenticating in each of those spaces, resulting in creation of new cookies within those cookie jars.

Remember that Chrome Incognito and Firefox Private modes are both configured to delete your cookies when you close the browser window, even those cookies with future dated expiration. Likewise in the public Chrome and Firefox windows, your cookies will be deleted if you manually clear them out using the browsers settings or third party extensions and plug-ins.

Request Help

To submit questions or report problems with the "Two-Step Login with Shibboleth SSO" service, please proceed to the UO Service Portal.   

 

Details

Article ID: 71026
Created
Mon 1/28/19 8:44 PM
Modified
Thu 3/26/20 12:34 PM