Introduction

Following on from CSRF Mitigation Options, here we explore how the CsrfFlowExecutionListener[1] CSRF synchroniser token pattern mitigation can be applied to the multi-factor authentication mechanism within the IdP to help prevent Login CSRF across composite authentication strategies.

Implementation

Here we combine the Password and Duo authentication flows inside an MFA flow. The setup is as follows:

• Setup a Shiboleth Duo Application to protect on duo.com.
• Configiure the duo.properties with the various duo keys and API hostname.
• Configure the IdP to use an MFA flow idp.authn.flows = MFA
• Adjust the mfa-auth-config.xml to first run the authn/Password flow:

 <entry key="">
            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" />
</entry>

• Then run the authn/Duo flow afterward

 <value>
     <![CDATA[
         nextFlow = "authn/Duo";
         ...

Result

The Password flow works as expected with the insertion of the CSRF token. The Duo flow also works providing the duo.vm view contains the CSRF Token in the duo_form form, e.g.

 <form id="duo_form" method="post">
        <input type="hidden" name="_eventId" value="proceed" />
				<input type="hidden" name="\${csrfToken.parameterName}" value="\${csrfToken.token}" id="csrf_token">
</form>

[1] The `CsrfFlowExecutionListener` provides a core cross-cutting security concern across IdP view states by injecting and validation CSRF tokens.