On January 22, 2013 4:55 , Florian Mueller <flo2muel...@gmail.com> wrote: > Yes, I did configured the factor as secondary (-2) but the problem was > that I didn't know how to enable factors only for specific users > instead of services. In our environment the user should be able to > decide whether he wants to use Google Authenticator or not. > > But in the meantime I solved it by enabling the factor in all services > and query some database inside the factor which determines whether the > user enabled second factor and return OK when he didn't. This is not > the best solution, which would be some script which decides which > factors are required by the user. This script would sit between > kerberos auth and the other factors.
I think that is a cleaver solution for doing this on the central weblogin server, and as long as you are happy with this solution, I think it should be fine. As you have discovered, cosign does not have a central database for storing user configuration and controlling the user's experience centrally. Instead, it is up to each individual cosign-protected web server to say what it requires the user to have. We have a web service here where the second factor is required not only for certain users, but also only for certain POST data. It's a ticketing system where the second factor is only required if the user is accessing a sensitive ticket queue and also has a privileged role with respect to that queue. We made a small change to the web app that looks up the queue number and the user role for that queue, and if the queue is marked as sensitive and the user has elevated privileges, the web app redirects the user to the central weblogin server for reauthenication using the second factor, in the exact same way as the cosign filter redirects users. As you can see, this is a case where the second factor is enabled only for specific users instead of services, but we leave the decision up to the service, and initiate the action from the service. Even though this is not what you want, I hope the idea is helpful. -- Mark Montague m...@catseye.org ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
