Skip to end of metadata
Go to start of metadata

Introduction

The UW IdP supports a few simple access control policies that can be requested by an SP operator and that will subsequently be enforced by the IdP on behalf of an SP. The following access policies are available:

  • Auto 2FA requires all users of an SP to sign in with 2FA. 
  • Conditional 2FA requires members of a UW Group to sign in with 2FA. 
  • Conditional Access only allows access to members of a UW Group.

These policies are of particular value for SPs that are unable to request 2FA at sign-in time via standard SAML mechanisms or that can't consume attributes from the IdP or other sources and use that information to enforce an SP access policy at sign-in time. 

Usage guidelines

Auto 2FA or Conditional 2FA can be paired with Conditional Access, but Auto 2FA and Conditional 2FA are mutually exclusive.

The default 2FA policy is "2FA by SP request." If your SP can request 2FA by using authnContextClassRef in the SAML authentication request, leave this default setting.

Note that these access policies are applied at the entity ID level and they will affect all applications and content using the same entity ID.

The SP Registry application provides a self-service interface to request these access policies for an SP. Instructions follow. 

Auto 2FA

To request Auto 2FA:

  1. Go to the SP Registry application.
  2. Find your SP in the list and select it.
  3. Click the "Access Control" tab.
  4. Click "Request Access Control."
  5. Under the heading "2FA," select the button labeled "Auto 2FA: All users must use 2FA"
  6. Click the "Save changes" button.

Your request will be forwarded to a specialist who will evaluate it and enable the requested features as appropriate. Once enabled, anyone who accesses your application will be required to sign in with 2FA. 

Conditional 2FA

To request Conditional 2FA:

  1. Go to the SP Registry application.
  2. Find your SP in the list and select it.
  3. Click the "Access Control" tab.
  4. Click "Request Access Control."
  5. Under the heading "2FA," select the button labeled "Conditional 2FA: Only members of group must use 2FA"
  6. Type a UW Group name in the box labeled "Conditional 2FA group."
  7. Click the "Save changes" button.

New!

When you configure conditional access for your SP, you may also provide an "Access Error URL." When an unauthorized user attempts to access your SP, the IdP will return an error page to the browser that includes your URL. On your access error page you should provide helpful information to the user about your access policy and how they can resolve the access issue. The access error URL request will be available via self-service in the next version of SP Registry, but for the time being you will have to write to help@uw.edu to request configuration. Please include your SP entityID and the URL of your help page in your request.

Your request will be forwarded to a specialist who will evaluate it and enable the requested features as appropriate. Once enabled, all members of the group specified in step 6 will be required to sign in with 2FA. 

Conditional Access

To request Conditional Access:

  1. Go to the SP Registry application.
  2. Find your SP in the list and select it.
  3. Click the "Access Control" tab.
  4. Click "Request Access Control."
  5. Under the heading "Conditional Access," check the box labeled "Enable conditional access"
  6. Type a UW Group name in the box labeled "Conditional access group."
  7. Click the "Save changes" button.

Your request will be forwarded to a specialist who will evaluate it and enable the requested features as appropriate.  Once enabled, only members of the group specified in step 6 will be able to sign in. 

Once you have conditional access in place, you must be careful to not delete or empty the group you requested in #6 above before turning off conditional access in the SP Registry and waiting for that request to be completed. If you delete/empty the group first, users will be unable to sign in to the SP.

Related


  • No labels