...
| Note |
|---|
Please read and follow the documentation first, before or along with using this example. This documentation is not maintained by the development team and may not be entirely accurate or consistent with the software at any given time. It is a complement to the documentation, not a replacement for it. It is currently out of date with respect to some improvements made in V4.1. |
| Table of Contents |
|---|
Overview
...
(for v4.0.1) Update the authn/SAML bean in authn/general-authn.xml so it understands the REFEDS MFA profile by adding a supportedPrinciples supportedPrincipals property:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<bean id="authn/SAML" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true"
p:proxyScopingEnforced="true"
p:discoveryRequired="true">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/mfa" />
</list>
</property>
</bean> |
Changes required in v4.1 may be different and you should look at the authn.properties file. More details here: SAMLAuthnConfiguration
Testing
Restart your IdP for your changes to take effect. Because this is a SAML proxy configuration it doesn't make sense to use aacli since it won't have the required information available to it.
...