Forcing Duo by Service Provider

Brandon McKean mckeanbs at
Wed May 10 15:12:21 EDT 2017

Following up on this, albeit later, I think I've managed to make it 
work, but I want to make sure I have the right idea.

This is what I put under the supported principals list for MFA and Duo 
in general-authn.xml:

> <bean parent="shibboleth.SAML2AuthnContextClassRef"
> c:classRef="urn:jmu:mfa:SAML:2.0:ac:classes" />

Then, before the overrides bean in relying-party.xml:

> <bean id="jmumfa" parent="shibboleth.SAML2AuthnContextClassRef"
>     c:_0="urn:jmu:mfa:SAML:2.0:ac:classes" />
Within the overrides bean:

> <bean parent="RelyingPartyByName" c:relyingPartyIds="desiredsp">
>                 <property name="profileConfigurations">
>                 <list>
>                         <bean parent="SAML2.SSO" 
> p:disallowedFeatures-ref="SAML2.SSO.FEATURE_AUTHNCONTEXT">
>                                 <property 
> name="defaultAuthenticationMethods">
>                                         <list>
>                                                 <ref bean="jmumfa" />
>                                         </list>
>                                 </property>
>                         </bean>
>                 </list>
>                 </property>
>         </bean>

This looks to work as needed, so I just wanna make sure it looks right.


Brandon McKean
IT / Systems
Linux Administrator

On 04/05/2017 07:48 PM, Cantor, Scott wrote:
> On 4/5/17, 2:41 PM, "users on behalf of Brandon McKean" <users-bounces at on behalf of mckeanbs at> wrote:
>> I'll be frank and say that I spent hours trying to figure that way out
>> and made no progress. If a detailed step by step for the correct way
>> were published on the wiki or similar, believe me I'd be using that. As
>> it stands I just couldn't make it work.
> Pick a context class URI. Associate it with the MFA flow and the Duo flow as a supported Principal. Define a RelyingParty override for all the relevant SPs that require MFA and put that same context class Principal in as the defaultAuthenticationMethod. The profile configuration documentation in the wiki around the defaultAuthenticationMethod setting has a complete example of what to do to make it safe to use.
> My MFA "checkSecondFactor" script is this:
>                  nextFlow = "authn/Duo";
>                  // Go to second factor if we have to.
>                  authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
>                  mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
>                  if (mfaCtx.isAcceptable()) {
>                      nextFlow = null;
>                  }
>                  nextFlow;   // pass control to second factor or end with the first
> If you need more than that, you're including user-specific criteria into the decision. There is no reason for any SP-specific rules to be in that script, it's more work that way and less flexible.
> -- Scott

More information about the users mailing list