...
Installation of the OIDCCommon plugin
Typically this can be achieved as follows;
Code Block $ /opt/shibboleth-idp/bin/plugin.sh -I net.shibboleth.oidc.common
or
Code Block C:>\opt\shibboleth-idp\bin\plugin.bat -I net.shibboleth.oidc.common
What we will install and configure
...
3. Configuring a basic MFA flow
First, ensure the MFA and Password modules are enabled. Then, open the conf/authn/mfa-authn-config.xml file and add a basic MFA flow which includes Username and Password as a first factor. You must ensure the Password flow is properly configured.
...
Code Block | ||
---|---|---|
| ||
<util:map id="shibboleth.authn.MFA.TransitionMap"> <!-- First rule runs the Password login flow. --> <entry key=""> <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" /> </entry> <!-- Second rule runs a function if Password succeeds, to determine whether an additional factor is required. --> <entry key="authn/Password"> <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" /> </entry> <!-- An implicit final rule will return whatever the final flow returns. --> </util:map> <!-- Example script to see if second factor is required. Currently just returns the DuoOIDC flow --> <bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"> <constructor-arg> <value> <![CDATA[ nextFlow = "authn/DuoOIDC"; // Check if second factor is necessary for request to be satisfied. //authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext"); // mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext"); //if (mfaCtx.isAcceptable()) { // nextFlow = null; //} nextFlow; // pass control to second factor or end with the first ]]> </value> </constructor-arg> </bean> |
4. Enable MFA flow
We need to ensure that MFA is called, so open conf/authn/auth.properties file and set idp.authn.flows accordingly
...