Single Sign On:Layout-2019

From CT Wiki
(Difference between revisions)
Jump to: navigation, search
(What about this "Enable high-assurance" box)
(What about this "Enable high-assurance" box)
Line 24: Line 24:
 
First: if you have no idea what this means: just ''don't click the box''. This is not for you yet ... and if you have clicked the box, just leave the entrybox completely ''empty''.
 
First: if you have no idea what this means: just ''don't click the box''. This is not for you yet ... and if you have clicked the box, just leave the entrybox completely ''empty''.
  
The "Enable high-assurance" checkbox will open up a "One-time code (optional)" entrybox. If - ''and only if'' - you have enrolled in the two-factor autentication test group, using Google Authenticator or another compatible time-based one-time PIN system like FreeOTP, you can enter the one-time code here to raise the authenticator assurance level and demonstrate that to service providers by means of the REFEDS MFA authentication context reference. Compatible service providers can then use it to grant you access, or grant acess to higher-value functions in their service.
+
The "Enable high-assurance" checkbox will open up a "One-time code (optional)" entrybox. If - ''and only if'' - you have enrolled in the two-factor autentication test group, using Google Authenticator or another compatible time-based one-time PIN system like FreeOTP, you can enter the one-time code here to raise the authenticator assurance level and demonstrate that to service providers by means of the [https://refeds.org/mfa REFEDS MFA] authentication context reference. Compatible service providers can then use it to grant you access, or grant acess to higher-value functions in their service.
  
 
= Why did this change happen now? =
 
= Why did this change happen now? =

Revision as of 19:48, 17 July 2019

Contents

Nikhef SSO Service Changes

The Nikhef single sign-on service (SSO) enables you to login to a wide range of services using a single credential, and to seamlessly connect to new application for many hours, almost the whole day, without having to login again.

What is changing?

In July 2019, the visual appearance of the login page will change. This is an intended change, and the ways to check if you really connect to Nikhef are the same: look for the domain name (should end in "nikhef.nl"), and desktop browsers should show a green address bar with "Nikhef (NL)" in it. The page will look like this on your desktop and laptop browser, or respectively on your hand-held or small-screen mobile device (the "Enable high-assurance" checkbox is experimental and for test-group users only):

Sso2019-desktop.jpg Sso2019-mobile.jpg

What is in it for me?

This change is necessary for the following new features:

  • capabilities for new services using the OpenID Connect protocol
  • improved rendering of the SSO web pages on small, hand-held, devices

Other improvements and changes will happen over time. Some of these are already experimentally available, others may follow:

What about this "Enable high-assurance" box

First: if you have no idea what this means: just don't click the box. This is not for you yet ... and if you have clicked the box, just leave the entrybox completely empty.

The "Enable high-assurance" checkbox will open up a "One-time code (optional)" entrybox. If - and only if - you have enrolled in the two-factor autentication test group, using Google Authenticator or another compatible time-based one-time PIN system like FreeOTP, you can enter the one-time code here to raise the authenticator assurance level and demonstrate that to service providers by means of the REFEDS MFA authentication context reference. Compatible service providers can then use it to grant you access, or grant acess to higher-value functions in their service.

Why did this change happen now?

The ability to provide OpenID Connect (OIDC) authentication capabilities is necessary for modern applications (like popular CI/CD tools), but also for non-web authentication from the command-line. Our SSO software, SimpleSAMLphp, only has OIDC support in the latest versions, and then only with modules that require the use of the 'new UI' user interface suite based on Symphony-Twig responsive web design frameworks. Adding OIDC capability we needed for connecting dCache and other portals therefore triggered a complete 'upgrade cascade': new version of SimpleSAMLphp, use of packagist frameworks, and through the OIDC module also the 'usenewui' Twig changes, and so forth.

Can I see it for myself?

Until the change goes 'live', you can preview it by using the account status viewer on the SSO test pages:

Views
Personal tools