• Home

  • Documents

  • Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas)...
19
Deploying Two-Factor Authentication to 45k Users Bryan Wooten Rachael Sheedy Brandon Gresham

Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

  • Upload
    others

  • View
    11

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

Deploying Two-Factor Authentication to 45k Users

Bryan WootenRachael Sheedy

Brandon Gresham

Page 2: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

Two-Factor Authentication (2FA)

Page 3: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

The Beginning• NSTIC Grant• https://spaces.internet2.edu/display/scalepriv/Scalable+Privacy• Funds used to hire consultants to modify SSO– Central Authentication Service (CAS)• Apereo CAS

– Under $100k

Page 4: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

The Environment

Page 5: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

Pilot Rollout• Staggered rollout to IT and HR employees• Built Duo Self-Service App– Original source code from University of Chicago– Forks from University of Utah

• Public: Helpdesk component (generate bypass-code)• Private: integrations, UI/UX, improved operational

support, bug fixes & policy-enforcements, automations

Page 6: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

Self-Service App

Page 7: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

Project Scope• Applications–150+ SAML (Shibboleth) / Cloud (Canvas)–600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby)

• All Current Employees–Includes student employees• All users accessing VPN and clinical servers• Offshore Vendors

Page 8: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

Two 2FA Services

Offshore vendors for University Medical Billing and Revenue Billing

Providers using e-Prescribe

Remote Access to Clinical Servers Remote Access to Campus Servers

Remote Access via Citrix Access Gateway

Remote Access via Clinical and Non-Clinical VPN

All applications protected by CAS-WEB

Page 9: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

Communications Plan• Targeted emails• Newsletter & website announcements• Dedicated 2FA website•Modal announcement on employee page• Employee appreciation day booth• Numerous meetings with governing and leadership groups• And, a tagline…

Page 10: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All
Page 11: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

The Aftermath…

89%

11%

Total employee 2FA enrollment

Enrolled Unenrolled As of 2/27/2017

-

100,000

200,000

300,000

400,000

500,000

600,000

700,000

Oct Nov Dec Jan

Monthly Duo 2FA Authentications

As of 2/9/2017

*As of Feb 2017

Page 12: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

…Continued…• Top reasons for helpdesk calls:–Step-by-step support–Need bypass code–RSA or Duo?• Significant increase in helpdesk call volume after implementation–Primary reason was procrastination

Page 13: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

Lessons Learned• Executive buy-in!!–Canvas pushback• Engage dept IT leaders for support• Start with a pilot rollout• Testing center issues: Whitelist!• Provide self-service

Page 14: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

Live Demo

Page 15: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

[email protected]@utah.edu

[email protected]

Original source code from University of Chicagohttps://github.com/uchicago/duo-registration

Fork from University of Utahhttps://github.com/bane73/duo-registration

Thank You!

Page 16: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

Appendix

Page 17: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All
Page 18: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All
Page 19: Deploying Two-Factor Authentication to 45k Users · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps (PeopleSoft / Homegrown/ JAVA / .NET / PHP / Ruby) •All

Shibboleth: EBSCOhost implementation

Shibboleth: EBSCOhost implementation

Documents
Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project

Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project

Documents
Shibboleth SSO & Drupal

Shibboleth SSO & Drupal

Technology
Homegrown Festival - Homegrown Festival 2012

Homegrown Festival - Homegrown Festival 2012

Documents
Shibboleth SP Logout Support - Shibboleth Training …...Current state of SLO in Shibboleth Shibboleth Service Provider 2.5.x • Supports local and global logout Shibboleth Identity

Shibboleth SP Logout Support - Shibboleth Training …...Current state of SLO in Shibboleth Shibboleth Service Provider 2.5.x • Supports local and global logout Shibboleth Identity

Documents
Deploying Two-Factor Authentication to 45k Users › _resources › documents › 2018 › UETN-2018.pdf · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps

Deploying Two-Factor Authentication to 45k Users › _resources › documents › 2018 › UETN-2018.pdf · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps

Documents
7 October 2015 Shibboleth. Agenda Shibboleth Background and Status Why is Shibboleth Important (to Higher Ed)? Current Pilots Course Management

7 October 2015 Shibboleth. Agenda Shibboleth Background and Status Why is Shibboleth Important (to Higher Ed)? Current Pilots Course Management

Documents
Shibboleth: Molecules, Music, and Middleware. Outline ● Terms ● Problem statement ● Solution space – Shibboleth and Federations ● Description of Shibboleth

Shibboleth: Molecules, Music, and Middleware. Outline ● Terms ● Problem statement ● Solution space – Shibboleth and Federations ● Description of Shibboleth

Documents
Authentication Methods: Shibboleth

Authentication Methods: Shibboleth

Education
DMOS 45K - 13 Ppt New

DMOS 45K - 13 Ppt New

Documents
Homegrown menu

Homegrown menu

Documents
Shibboleth LDAP Backend

Shibboleth LDAP Backend

Documents
Internet Shibboleth Project

Internet Shibboleth Project

Technology
Shibboleth Tutorial

Shibboleth Tutorial

Documents
Homegrown Fantaseeds

Homegrown Fantaseeds

Documents
Homegrown Sprouts

Homegrown Sprouts

Documents
Shibboleth at Newcastle

Shibboleth at Newcastle

Documents
Shibboleth Archive

Shibboleth Archive

Documents
Homegrown Magazine

Homegrown Magazine

Documents
Intel® Desktop Board DZ75ML-45K...DZ75ML-45K Technical Product Specification . April 2014 Part Number: G77184-003 . The Intel Desktop Board DZ75ML-45K may contain design defects or

Intel® Desktop Board DZ75ML-45K...DZ75ML-45K Technical Product Specification . April 2014 Part Number: G77184-003 . The Intel Desktop Board DZ75ML-45K may contain design defects or

Documents
Shibboleth Setup

Shibboleth Setup

Documents
Homegrown: Elements

Homegrown: Elements

Documents
Shibboleth Identity Provider

Shibboleth Identity Provider

Documents
Homegrown Hops

Homegrown Hops

Documents
Interoperability Shibboleth - gLite

Interoperability Shibboleth - gLite

Documents
Introduction to Shibboleth - SWITCH...• •SAML 2.0 • SSO ... Introduction to Shibboleth - Shibboleth Training 2015 Author: SWITCHaai Created Date: 20151015071708Z

Introduction to Shibboleth - SWITCH...• •SAML 2.0 • SSO ... Introduction to Shibboleth - Shibboleth Training 2015 Author: SWITCHaai Created Date: 20151015071708Z

Documents
Lenya and Shibboleth

Lenya and Shibboleth

Economy & Finance
Shibboleth and TAGPMA

Shibboleth and TAGPMA

Documents
Homegrown Happiness

Homegrown Happiness

Documents
Shibboleth Identity Provider (IdP) - CLARIN · Shibboleth Identity Provider (IdP) Sebastian Rieger sebastian.rieger@gwdg.de. CLARIN AAI Shibboleth Workshop 2 Integrating your local

Shibboleth Identity Provider (IdP) - CLARIN · Shibboleth Identity Provider (IdP) Sebastian Rieger [email protected]. CLARIN AAI Shibboleth Workshop 2 Integrating your local

Documents