MCB SSO not requiring greater authentication methods

Caskey, Paul pcaskey at utsystem.edu
Fri Apr 10 10:43:45 EDT 2015


Did you disable/comment out the PreviousSession LoginHandler in handler.xml?




Sent from phone

-----Original Message-----
From: Ho, PeiQuan [PeiQuan.Ho at tufts.edu]
Received: Friday, 10 Apr 2015, 9:11AM
To: Shib Users [users at shibboleth.net]
Subject: RE: MCB SSO not requiring greater authentication methods

This is what I'm currently doing.   I'm using a scripted attribute resolver call "authContext" that is determine by checking the value of the SP ID and another value for the user.  This value is then passed to the MCB as its attributeResolverID which I thought would then set the MCB authnContext to the one specified by the authContext generated value.  Currently, this does work.  It just doesn't work when doing SSO... such as when I first go to an SP that the MCB determines to only require password, then go to a second SP that the MCB determines requires two-factor, the second SP does not force the two-factor step.  Is this do-able with Shib and MCB?  We're currently using shib IDP 2.4.1.

Thanks,
-PQ

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Thursday, April 09, 2015 12:40 PM
To: Shib Users
Subject: Re: MCB SSO not requiring greater authentication methods

On 4/9/15, 12:33 PM, "Caskey, Paul" <pcaskey at utsystem.edu> wrote:

>Please correct if I'm wrong, but you could use a scripted attribute definition in the resolver for your MCB/assurance attribute and it would see the SP's ID and could just not issue 'password' as an acceptable method for that user in the case where you want to force 2-factor, correct?

It depends on whether/how the MCB populates the resolution context that ends up in the scripting layer with that information or not. It's not the IdP-proper running the resolver in this case, it's a sort of extra resolver invocation with a fair amount of mocked up context, at least if it's done how that sort of thing usually gets done with the old APIs.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list