idp 3.0 MFA/DUO questions.

Mathis, Bradley bmathis at pima.edu
Thu Dec 21 09:05:52 EST 2017


My questions are at the bottom.

Background info:

In a test idp 3.x enviornment.  I currently have 3 applications that I can
SSO with.
1. an app that uses the CAS protocol
2. an app that we use idp initiated SSO
3. the testshib site (well it was working, today it can't find my metadata)

I'm testing out MFA with DUO.  I have used the following links for
reference on how to configure it.


https://wiki.shibboleth.net/confluence/pages/viewpage.action?pageId=32112643

https://wiki.shibboleth.net/confluence/display/IDP30/MultiFactorAuthnConfiguration

<goog_870379464>
https://wiki.shibboleth.net/confluence/display/IDP30/DuoAuthnConfiguration


I can successfully SSO to these SP's,  I get authenticated with
authn/Password then get sent to DUO and then to my app.
At the moment I get a second factor (DUO) prompt for everything.  I think
that's due to how I have the shibboleth.authn.MFA.TransitionMap configured
see my example.
+++++++++++++++++++++++++++++++++++++
<util:map id="shibboleth.authn.MFA.TransitionMap">
        <!-- First rule runs the Password login flow. -->
        <entry key="">
            <bean parent="shibboleth.authn.MFA.Transition"
p:nextFlow="authn/Password" />
        </entry>

        <!--
        Second rule runs a function if IPAddress succeeds, to determine
whether an additional
        factor is required.
        -->
        <entry key="authn/Password">
            <bean parent="shibboleth.authn.MFA.Transition"
p:nextFlowStrategy-ref="checkSecondFactor" />
        </entry>

        <!-- An implicit final rule will return whatever the final flow
returns. -->
    </util:map>

    <!-- Example script to see if second factor is required. -->
   <bean id="checkSecondFactor"
parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript">
  <constructor-arg>
    <value>
      <![CDATA[
        nextFlow = "authn/Duo";
        nextFlow;   // pass control to second factor or end with the first
      ]]>
    </value>
  </constructor-arg>
</bean>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Eventually we will have about 10 to 15 SP's  some will need MFA and some
won't. Some will be CAS protocol and some won't (not sure that matters).



Questions:

1. Where/how to define the logic of what apps/SP's need a second factor and
which ones don't?


2. Eventually we will want to use some type of opt-in for apps that don't
require MFA, we are hoping to be able to do that based on and attruibute we
set in ldap is that possible? ( I think it is )
2a. Where in the Documentation would I start or what config file to look at
for opt-in?


Thank You Everyone!





Brad Mathis
Principal Systems Analyst
Pima Community College
IT - Technical Services
520.206.4826
bmathis at pima.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20171221/6788c7f3/attachment-0001.html>


More information about the users mailing list