...
- An Authentication request arrives at Shibboleth IdP
The Shibboleth IdP observes it's configured for SAML sign on and redirects to an upstream IdP (Azure AD). Settings for this are controlled in
idp.properties
authn/saml-authn-config.xml
- User Authenticates or has an existing session at upstream IdP (Azure AD)
- The upstream IdP (Azure AD) constructs a SAML Assertion with one or more attributes and is sent with the user to the Shibboleth IdP
- The Shibboleth IdP receives the assertion and:
verifies that the assertion arrives from an entity it trusts as configured in
metadata-providers.xml
- filters the assertion according to rules in
attribute-filter.xml
- Extracts the real user as configured in attribute-based subject c14n.
- Looks through list of
AttributesToResolve
in the resolver and resolves each one. - Looks through list of resulting attributes in
AttributeSourceIds
and picks the first valid one to be the principal's name to be used later
- Looks through list of
- Resulting trusted real username is used as
$resolutionContext.principal
(eg. existing LDAP data connector, etc.) during "standard" attribute resolution process
...
Code Block | ||
---|---|---|
| ||
<util:map id="shibboleth.PrincipalProxyRequestMappings"> <entry> <key> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/mfa" /> </key> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://schemas.microsoft.com/claims/multipleauthn" /> </list> </entry> </util:map> <util:map id="shibboleth.PrincipalProxyResponseMappings"> <entry> <key> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://schemas.microsoft.com/claims/multipleauthn" /> </key> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/mfa" /> </list> </entry> </util:map> |
Update the support matrix for the SAML authentication flow to understand the REFEDS MFA profile
Update the authn/SAML bean in authn/general-authn.xml so it understands the REFEDS MFA profile by adding a supportedPrinciples property:
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="authn/SAML" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true"
p:proxyScopingEnforced="true"
p:discoveryRequired="true">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/mfa" />
</list>
</property>
</bean> |
Testing
Restart your IdP for your changes to take effect. Because this is a SAML proxy configuration it doesn't make sense to use aacli
since it won't have the required information available to it.
...