Current File(s): conf/authn/mfa-authn-config.xml, conf/authn/authn.properties (V4.1+)
Format: Native Spring, Properties (V4.1+)
...
General Configuration
| Localtabgroup |
|---|
Use authn/mfa-authn-config.xml to configure this flow. Most of the flow configuration is in authn/mfa-authn-config.xml but some generic settings applicable to all login flows are in authn/authn.properties. |
| Tip |
|---|
Note that when you use the MFA flow, it's common that it will be the only flow enabled via the idp.authn.flows property. In particular, any flows you direct the MFA flow to run via rules and scripts should not be enabled themselves because to do so may cause the IdP to run them itself in ways that are likely to subvert your intent. |
...
You can split these concerns any way you prefer, but if you can include at least some of your logic in the reuse condition rather than the MFA logic itself, that can improve efficiency. But in the simplest case, if you want the MFA rules to run on every request no matter what:
| Localtabgroup |
|---|
| Code Block |
|---|
| language | xml |
|---|
| title | authn/general-authn.xml |
|---|
| ...
<bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true"
p:reuseCondition="false">
...etc...
</bean>
... |
| Code Block |
|---|
| title | authn/authn.properties |
|---|
| ...
idp.authn.MFA.reuseCondition = shibboleth.Conditions.FALSE
... |
|
That simply says "never reuse results". Bear in mind this is referring to the MFA flow itself, and not the individual "sub factors" that it uses internally to build its results, so individual factors may have results reused when the MFA logic actually runs them, which is generally what is desired.
For more advanced cases or to improve efficiency, a bean can be defined for a script or Java logic that defines the condition to evaluate to decide on reuse, and you can attach that bean by name.
Reference
| Localtabgroup |
|---|
The beans defined in authn/mfa-authn-config.xml follow: | Localtab-live |
|---|
| active | true |
|---|
| title | Beans (V4.1+) |
|---|
|
The beans defined in authn/mfa-authn-config.xml follow: Properties specific to this flow defined in authn/authn.properties are: | Name | Default | Description |
|---|
| idp.authn.MFA.validateLoginTransitions | true | Whether login flows should only be run with regard for forceAuthn/isPassive/nonBrowser (and similar) conditions |
The general properties configuring this flow via authn/authn.properties are: | Name | Default | Description |
|---|
| idp.authn.MFA.order | 1000 | Flow priority relative to other enabled login flows (lower is "higher" in priority) | | idp.authn.MFA.nonBrowserSupported | true | Whether the flow should handle non-browser request profiles (e.g., ECP) | | idp.authn.MFA.passiveAuthenticationSupported | true | Whether the flow allows for passive authentication | | idp.authn.MFA.forcedAuthenticationSupported | true | Whether the flow supports forced authentication | | idp.authn.MFA.proxyRestrictionsEnforced | %{idp.authn.enforceProxyRestrictions:true} | Whether the flow enforces upstream IdP-imposed restrictions on proxying | | idp.authn.MFA.proxyScopingEnforced | false | Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying | | idp.authn.MFA.discoveryRequired | false | Whether to invoke IdP-discovery prior to running flow | | idp.authn.MFA.lifetime | %{idp.authn.defaultLifetime:PT1H} | Lifetime of results produced by this flow | | idp.authn.MFA.inactivityTimeout | %{idp.authn.defaultTimeout:PT30M} | Inactivity timeout of results produced by this flow | | idp.authn.MFA.reuseCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO | | idp.authn.MFA.activationCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request | | idp.authn.MFA.subjectDecorator |
| Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization | | idp.authn.MFA.supportedPrincipals | (see below) | Comma-delimited list of protocol-specific Principal strings associated with flow | | idp.authn.MFA.addDefaultPrincipals | false | Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow |
As a generic flow, the supportedPrincipals property defaults to the following XML: | Code Block |
|---|
| <list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</list> |
In property form, this is expressed as: | Code Block |
|---|
idp.authn.MFA.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml1/urn:oasis:names:tc:SAML:1.0:am:password |
This default is not intended to be applicable to most systems, but matches the behavior of the flow's default/example configuration which accounts for both the IPAddress and Password flows being combined. id | FDXML | | title | Flow Descriptor XML (V4.1+) |
|---|
|
To replace the internally defined flow descriptor bean, the following XML is required:
| Code Block |
|---|
|
<util:list id="shibboleth.AvailableAuthenticationFlows">
<bean p:id="authn/MFA" parent="shibboleth.AuthenticationFlow"
p:order="%{idp.authn.MFA.order:1000}"
p:nonBrowserSupported="%{idp.authn.MFA.nonBrowserSupported:true}"
p:passiveAuthenticationSupported="%{idp.authn.MFA.passiveAuthenticationSupported:true}"
p:forcedAuthenticationSupported="%{idp.authn.MFA.forcedAuthenticationSupported:true}"
p:proxyRestrictionsEnforced="%{idp.authn.MFA.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
p:proxyScopingEnforced="%{idp.authn.MFA.proxyScopingEnforced:false}"
p:discoveryRequired="%{idp.authn.MFA.discoveryRequired:false}"
p:lifetime="%{idp.authn.MFA.lifetime:%{idp.authn.defaultLifetime:PT1H}}"
p:inactivityTimeout="%{idp.authn.MFA.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}"
p:reuseCondition-ref="#{'%{idp.authn.MFA.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:activationCondition-ref="#{'%{idp.authn.MFA.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:subjectDecorator-ref="#{getObject('%{idp.authn.MFA.subjectDecorator:}'.trim())}">
<property name="supportedPrincipalsByString">
<bean parent="shibboleth.CommaDelimStringArray"
c:_0="#{'%{idp.authn.MFA.supportedPrincipals:}'.trim()}" />
</property>
</bean>
</util:list> |
In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.
Notes
It's been observed, accurately, that the data required to track the use of this feature in the session cache is on the order of 2-3 times as large as just a "simple" authentication result. While it is believed that this remains acceptable with the use of cookies, and certainly with HTML Storage, some storage service implementations such as that forĀ Memcached rely on a less reliable persistence model that may prematurely evict data, so such options may not be a good fit with this feature.