...
Update the support matrix for the SAML authentication flow to understand the REFEDS MFA profile
(for v4.0.1) Update the authn/SAML bean in authn/general-authn.xml so it understands the REFEDS MFA profile by adding a supportedPrinciples property:
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="authn/SAML" parent="shibboleth.AuthenticationFlow" p:nonBrowserSupported="false" p:passiveAuthenticationSupported="true" p:forcedAuthenticationSupported="true" p:proxyScopingEnforced="true" p:discoveryRequired="true"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/mfa" /> </list> </property> </bean> |
Changes required in v4.1 may be different and you should look at the authn.properties file.
Testing
Restart your IdP for your changes to take effect. Because this is a SAML proxy configuration it doesn't make sense to use aacli
since it won't have the required information available to it.
...