Versions Compared

Old Version 19

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 20

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleMultiple Integrations via conf/authn/duo-authn-config.xml
Code Block
    <!-- This integration is for local use. -->
    <bean id="DuoLocal" classparent="net.shibboleth.idp.authn.duoDuo.BasicDuoIntegrationDuoIntegration"
        p:APIHost="%{idp.duo.apiHost}"
        p:applicationKey="%{idp.duo.applicationKey}"
        p:integrationKey="%{idp.duo.integrationKey}"
        p:secretKey="%{idp.duo.secretKey}">
        <property name="supportedPrincipals">
            <list>
                <bean parent="shibboleth.SAML2AuthnContextClassRef"
                    c:classRef="http://example.org/ac/classes/mfa" />
                <bean parent="shibboleth.SAML1AuthenticationMethod"
                    c:method="http://example.org/ac/classes/mfa" />
            </list>
        </property>
    </bean>

    <!-- This integration supports either local or REFEDS use. -->
    <bean id="DuoREFEDS" classparent="net.shibboleth.idp.authn.duoDuo.BasicDuoIntegrationDuoIntegration"
        p:APIHost="%{idp.duo.apiHost.refeds}"
        p:applicationKey="%{idp.duo.applicationKey.refeds}"
        p:integrationKey="%{idp.duo.integrationKey.refeds}"
        p:secretKey="%{idp.duo.secretKey.refeds}">
        <property name="supportedPrincipals">
            <list>
                <bean parent="shibboleth.SAML2AuthnContextClassRef"
                    c:classRef="http://example.org/ac/classes/mfa" />
                <bean parent="shibboleth.SAML1AuthenticationMethod"
                    c:method="http://example.org/ac/classes/mfa" />
                <bean parent="shibboleth.SAML2AuthnContextClassRef"
                    c:classRef="https://refeds.org/profile/mfa" />
                <bean parent="shibboleth.SAML1AuthenticationMethod"
                    c:method="https://refeds.org/profile/mfa" />
            </list>
        </property>
    </bean>
    
    <!-- Order matters here; we want the most lenient integration first. -->
    <util:list id="DuoIntegrationList">
       <ref bean="DuoDefault" />
       <ref bean="DuoREFEDS" />
    </util:list>

    <!-- This simple function just iterates over each integration until it finds an acceptable one. -->
    <bean id="shibboleth.authn.Duo.DuoIntegrationStrategy" parent="shibboleth.ContextFunctions.Scripted"
            factory-method="inlineScript"
            p:customObject-ref="DuoIntegrationList">
        <constructor-arg name="scriptSource">
        <value>
        <![CDATA[
        duo = null;
        authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
        iter = custom.iterator();
        while (duo == null && iter.hasNext()) {
            duo = iter.next();
            if (!authCtx.isAcceptable(duo)) {
                duo = null;
            }
        }
        duo;
        ]]>
        </value>
        </constructor-arg>
    </bean>

...