Versions Compared

Old Version 16

changes.mady.by.user Former user (Deleted)

Saved on

compared with

New Version 17

changes.mady.by.user Former user (Deleted)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added a note about the Authentication Flow changes being 4.0 rather than 4.1 relevant.

...

Update the support matrix for the SAML authentication flow to understand the REFEDS MFA profile

(for v4.0.1) Update the authn/SAML bean in authn/general-authn.xml so it understands the REFEDS MFA profile by adding a supportedPrinciples property:

Code Block
languagexml
titleauthn/general-authn.xml updates
<bean id="authn/SAML" parent="shibboleth.AuthenticationFlow"
    p:nonBrowserSupported="false"
    p:passiveAuthenticationSupported="true"
    p:forcedAuthenticationSupported="true"
    p:proxyScopingEnforced="true"
    p:discoveryRequired="true">

    <property name="supportedPrincipals">
        <list>
            <bean parent="shibboleth.SAML2AuthnContextClassRef"
                c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
            <bean parent="shibboleth.SAML2AuthnContextClassRef"
                c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
            <bean parent="shibboleth.SAML1AuthenticationMethod"
                c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
            <bean parent="shibboleth.SAML2AuthnContextClassRef"
                c:classRef="https://refeds.org/profile/mfa" />
        </list>
    </property>
</bean>

Changes required in v4.1 may be different and you should look at the authn.properties file.

Testing

Restart your IdP for your changes to take effect.  Because this is a SAML proxy configuration it doesn't make sense to use  aacli since it won't have the required information available to it.

...