Versions Compared

Old Version 11

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 12

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

General Configuration

Localtabgroup
Localtab
activetrue
titleV4.0

Use authn/mfa-authn-config.xml to configure this flow.

Localtab
activetrue
titleV4.1+

Most of the flow configuration is in authn/mfa-authn-config.xml but some generic settings applicable to all login flows are in authn/authn.properties.

...

You can split these concerns any way you prefer, but if you can include at least some of your logic in the reuse condition rather than the MFA logic itself, that can improve efficiency. But in the simplest case, if you want the MFA rules to run on every request no matter what:

Localtabgroup
Localtab
activetrue
titleV4.0
Code Block
languagexml
titleauthn/general-authn.xml
...
		<bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
                				p:passiveAuthenticationSupported="true"
                				p:forcedAuthenticationSupported="true"
				p:reuseCondition="false">

			...etc...

        		</bean>
...
Localtab
activetrue
titleV4.1+
Code Block
titleauthn/authn.properties
...
idp.authn.MFA.reuseCondition = shibboleth.Conditions.FALSE
...

...

Reference

Localtabgroup
Localtab
activetrue
titleBeans (V4.0)

The beans defined in authn/mfa-authn-config.xml follow:

Bean ID / TypeDefaultDescription

shibboleth.authn.MFA.TransitionMap

Map<String,MultiFactorAuthenticationTransition>


Static ruleset containing the starting point for MFA execution and the rules to use to decide how to do work

shibboleth.authn.MFA.TransitionMapStrategy

Function<ProfileRequestContext,Map<String,MultiFactorAuthenticationTransition>


Optional function bean to return the ruleset to use instead of using a static ruleset

shibboleth.authn.MFA.Transition

MultiFactorAuthenticationTransition


Parent bean for defining transition rules in the values of the previous bean's map entries

shibboleth.authn.MFA.validateLoginTransitions

Boolean

trueWhether login flows should only be run with regard for forceAuthn/isPassive/nonBrowser (and similar) conditions

shibboleth.authn.MFA.resultMergingStrategy

Function<ProfileRequestContext,AuthenticationResult>

described aboveFunction to run to produce final merged result of MFA login flow during successful completion

shibboleth.authn.MFA.resultCachingPredicate

Predicate<ProfileRequestContext>


An optional bean that can be defined to control whether to preserve the authentication result in an IdP session
Localtab
activetrue
titleBeans (V4.1+)

The beans defined in authn/mfa-authn-config.xml follow:

Bean ID / TypeDefaultDescription

shibboleth.authn.MFA.TransitionMap

Map<String,MultiFactorAuthenticationTransition>


Static ruleset containing the starting point for MFA execution and the rules to use to decide how to do work

shibboleth.authn.MFA.TransitionMapStrategy

Function<ProfileRequestContext,Map<String,MultiFactorAuthenticationTransition>


Optional function bean to return the ruleset to use instead of using a static ruleset

shibboleth.authn.MFA.Transition

MultiFactorAuthenticationTransition


Parent bean for defining transition rules in the values of the previous bean's map entries

shibboleth.authn.MFA.resultMergingStrategy

Function<ProfileRequestContext,AuthenticationResult>

described aboveFunction to run to produce final merged result of MFA login flow during successful completion

shibboleth.authn.MFA.resultCachingPredicate

Predicate<ProfileRequestContext>


An optional bean that can be defined to control whether to preserve the authentication result in an IdP session
Localtab
titleProperties (V4.1+)

Properties specific to this flow defined in authn/authn.properties are:

NameDefaultDescription
idp.authn.MFA.validateLoginTransitionstrueWhether login flows should only be run with regard for forceAuthn/isPassive/nonBrowser (and similar) conditions

As a generic flow, the supportedPrincipals property defaults to the following XML:

Code Block
languagexml
collapsetrue
<list>
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
    <bean parent="shibboleth.SAML1AuthenticationMethod"
        c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</list>

In property form, this is expressed as:

Code Block
idp.authn.MFA.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
    saml1/urn:oasis:names:tc:SAML:1.0:am:password

This default is not intended to be applicable to most systems, but matches the behavior of the flow's default/example configuration which accounts for both the IPAddress and Password flows being combined.

Localtab
idFDXML
titleFlow Descriptor XML (V4.1+)

...