IDPv3.3 and programmatically selecting MFA based on attribute

Jeffrey Eaton jeaton at
Sun Jan 22 20:39:42 EST 2017

To follow up on my own post, I realized that SP-requested Duo wasn’t working properly because my MFA flow wasn’t stepping up in that case, but I was able to fix that by tweaking the checkSecondFactor script to more closely align with the example from the wiki:

                nextFlow = "authn/Duo"; 

                // Go straight to second factor if we have to, or set up for an attribute lookup first.
                authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
                mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
                if (mfaCtx.isAcceptable()) {
                    // Attribute check is required to decide if first factor alone is enough.
                    resCtx = input.getSubcontext(
                        "net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);
                    // Check for an attribute that authorizes use of first factor.
                    attribute = resCtx.getResolvedIdPAttributes().get("eduPersonAssurance");
                    valueType =  Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
                    if (attribute != null && attribute.getValues().contains(new valueType("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"))) {
                        nextFlow = null;
                    input.removeSubcontext(resCtx);   // cleanup
                nextFlow;   // pass control to second factor or end with the first

So this works for my cases for when the SP requests Duo by way of using our custom AuthnContextClassRef, but not in the case where there is an exiting Password-only IDP session, and I want the IDP to step-up to Duo based on the attribute lookup.  So close yet so far.


More information about the users mailing list