IAM in Service Catalog
The UW IdP supports a few simple access control policies that can be requested by an SP operator and that will subsequently be enforced by the IdP on behalf of an SP. The following access policies are available:
These policies are of particular value for SPs that are unable to request 2FA at sign-in time via standard SAML mechanisms or that can't consume attributes from the IdP or other sources and use that information to enforce an SP access policy at sign-in time.
Auto 2FA or Conditional 2FA can be paired with Conditional Access, but Auto 2FA and Conditional 2FA are mutually exclusive.
The default 2FA policy is "2FA by SP request." If your SP can request 2FA by using authnContextClassRef in the SAML authentication request, leave this default setting.
Note that these access policies are applied at the entity ID level and they will affect all applications and content using the same entity ID.
The SP Registry application provides a self-service interface to request these access policies for an SP. Instructions follow.
To request Auto 2FA:
Your request will be forwarded to a specialist who will evaluate it and enable the requested features as appropriate. Once enabled, anyone who accesses your application will be required to sign in with 2FA.
To request Conditional 2FA:
When you configure conditional access for your SP, you may also provide an "Access Error URL." When an unauthorized user attempts to access your SP, the IdP will return an error page to the browser that includes your URL. On your access error page you should provide helpful information to the user about your access policy and how they can resolve the access issue. The access error URL request will be available via self-service in the next version of SP Registry, but for the time being you will have to write to email@example.com to request configuration. Please include your SP entityID and the URL of your help page in your request.
Your request will be forwarded to a specialist who will evaluate it and enable the requested features as appropriate. Once enabled, all members of the group specified in step 6 will be required to sign in with 2FA.
To request Conditional Access:
Your request will be forwarded to a specialist who will evaluate it and enable the requested features as appropriate. Once enabled, only members of the group specified in step 6 will be able to sign in.
Once you have conditional access in place, you must be careful to not delete or empty the group you requested in #6 above before turning off conditional access in the SP Registry and waiting for that request to be completed. If you delete/empty the group first, users will be unable to sign in to the SP.