...
3. Configuring a basic MFA flow
First, ensure the MFA and Password modules are enabled. Then, open the conf/authn/mfa-authn-config.xml file and add a basic MFA flow which includes Username and Password as a first factor. You must ensure the Password flow is properly configured.
...
| Code Block | ||
|---|---|---|
| ||
<util:map id="shibboleth.authn.MFA.TransitionMap">
<!-- First rule runs the Password login flow. -->
<entry key="">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" />
</entry>
<!-- Second rule runs a function if Password succeeds, to determine whether an additional factor is required. -->
<entry key="authn/Password">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />
</entry>
<!-- An implicit final rule will return whatever the final flow returns. -->
</util:map>
<!-- Example script to see if second factor is required. Currently just returns the DuoOIDC flow -->
<bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript">
<constructor-arg>
<value>
<![CDATA[
nextFlow = "authn/DuoOIDC";
// Check if second factor is necessary for request to be satisfied.
//authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
// mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
//if (mfaCtx.isAcceptable()) {
// nextFlow = null;
//}
nextFlow; // pass control to second factor or end with the first
]]>
</value>
</constructor-arg>
</bean> |
4. Enable MFA flow
We need to ensure that MFA is called, so open conf/authn/auth.properties file and set idp.authn.flows accordingly
...