...
Code Block |
---|
|
<util:map id="shibboleth.authn.MFA.TransitionMap">
<!-- First rule runs the Password login flow. -->
<entry key="">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" />
</entry>
<!--
Second rule runs a function if Password succeeds, to determine whether an additional
factor is required.
-->
<entry key="authn/Password">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />
</entry>
<!-- An implicit final rule will return whatever the final flow returns. -->
</util:map>
<!-- Example script to see if second factor is required. -->
<bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript">
<constructor-arg>
<value>
<![CDATA[
nextFlow = "authn/Duo";
// Check if second factor is necessary for request to be satisfied.
authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
if (mfaCtx.isAcceptable()) {
nextFlow = null;
}
nextFlow; // pass control to second factor or end with the first
]]>
</value>
</constructor-arg>
</bean>
|
The additional setup will vary by version and is the process by which you associate the "internal" SAML AuthnContext class reference value with your second-factor method (Duo in this case) so that it can act as a signal.
Localtabgroup |
---|
Localtab live |
---|
active | true |
---|
Expand |
---|
|
New (or modernized) installs of V4.1+ can be taught what context classes to associate with login flows using conf/authn/authn.properties: conf/authn/authn.properties Code Block |
---|
| ...
idp.authn.Duo.supportedPrincipals = \
saml2/http://example.org/ac/classes/mfa, \
saml1/http://example.org/ac/classes/mfa
...
idp.authn.MFA.supportedPrincipals = \
saml2/http://example.org/ac/classes/mfa, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml1/http://example.org/ac/classes/mfa, \
saml1/urn:oasis:names:tc:SAML:1.0:am:password | localtab-live |
Expand |
---|
|
Earlier versions rely on the conf/authn/general-authn.xml file to associate the class reference, using the supportedPrincipals property on the login flows. The class reference object must be connected to both the Duo and MFA flows because the latter is a superset of the former. The IdP is being told that these flows "support" this context class so it's necessary that both flows are told to do so. This is an excerpt (note the "..."'s) of the complete file and just the relevant aspects are shown; other settings will vary by local need. conf/authn/general-authn.xml Code Block |
---|
| <util:list id="shibboleth.AvailableAuthenticationFlows">
...
<!-- Associates use of Duo with the local MFA context class. -->
<bean p:id="authn/Duo" parent="shibboleth.AuthenticationFlow">
<property name="supportedPrincipals">
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="http://example.org/ac/classes/mfa" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:classRef="http://example.org/ac/classes/mfa" />
</property>
</bean>
...
<!-- Associates MFA flow with both password- and Duo-based authentication. -->
<bean p:id="authn/MFA" parent="shibboleth.AuthenticationFlow">
<property name="supportedPrincipals">
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="http://example.org/ac/classes/mfa" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:classRef="http://example.org/ac/classes/mfa" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</property>
</bean>
...
</util:list> |
|
...
The final step is to simply extend what's already been done to include the REFEDS context class so that SPs that need it can request it. This is a straight addition to the principal sets in the earlier examples, and the original values are included for completeness. You could also add the value as a SAML 1.1 option in an obvious way but that isn't likely to matter or come into play given that SAML 1.1 SPs, if they exist, can't actually request anything.
Localtabgroup |
---|
Localtab live |
---|
active | true Expand |
---|
|
conf/authn/authn.properties Code Block |
---|
| ...
idp.authn.Duo.supportedPrincipals = \
saml2/https://refeds.org/profile/mfa, \
saml2/http://example.org/ac/classes/mfa, \
saml1/http://example.org/ac/classes/mfa
...
idp.authn.MFA.supportedPrincipals = \
saml2/https://refeds.org/profile/mfa, \
saml2/http://example.org/ac/classes/mfa, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml1/http://example.org/ac/classes/mfa, \
saml1/urn:oasis:names:tc:SAML:1.0:am:password | localtab-live |
Expand |
---|
|
conf/authn/general-authn.xml Code Block |
---|
| <util:list id="shibboleth.AvailableAuthenticationFlows">
...
<!-- Associates use of Duo with the local MFA context class. -->
<bean p:id="authn/Duo" parent="shibboleth.AuthenticationFlow">
<property name="supportedPrincipals">
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/mfa" /> <!-- REFEDS added here -->
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="http://example.org/ac/classes/mfa" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:classRef="http://example.org/ac/classes/mfa" />
</property>
</bean>
...
<!-- Associates MFA flow with both password- and Duo-based authentication. -->
<bean p:id="authn/MFA" parent="shibboleth.AuthenticationFlow">
<property name="supportedPrincipals">
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/mfa" /> <!-- REFEDS added here -->
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="http://example.org/ac/classes/mfa" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:classRef="http://example.org/ac/classes/mfa" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</property>
</bean>
...
</util:list> |
|
...