Shibboleth MFA questions

Cantor, Scott cantor.2 at
Wed May 17 17:28:35 EDT 2017

On 5/17/17, 5:06 PM, "users on behalf of s-awinte at" <users-bounces at on behalf of s-awinte at> wrote:

> I'd like to get your opinion and hints on using MFA-flow with x509Authn
and U2F with pw + uname + Yubikey via plugin (which we're using already):
> GitHub - Ratler/shibboleth-mfa-u2f-auth: U2F multifactor authentication

I don't have any opinions about code I don't support, but authentication flows that aren't written correctly will not compose properly with the system and create a lot of difficulties. A U2F flow that's written analagously to the Duo flow will work properly, otherwise it won't work in a variety of cases. If the U2F flow tries to own any part of the username/password step, it will be a mess to make work and shouldn't be used.

Basically anything written prior to 3.3 is suspect and will probably not work except in isolation when used by itself or alongside other methods that aren't being combined with it. X.509 OR Password is fine. X.509 OR (Password + something) will not be fine because the "something" won't be doing things properly because there wasn't a proper way to do it. It's not a criticism, it's a gap in the original design that people rushed to circumvent before there was a real way to do it.

> To my understanding, Shibboleth 3.x offers all availible authn methods
> to the SP and will fall back to flows, as defined in the configuration,

It can, but that is almost always something you should manage via MFA rules and scripting. Trying to get the IdP to do it for you will be very hard in most cases, unless the methods don't overlap in weird ways, per the above.

> I've heard two contradictionary statements on if IdP or the SP controls,
> which flow is actually triggered, i. e. if it's explicitly requested by
> SP, or if IdP offers and SP accepts this authn method.

SPs should ask for what they will accept or simply not care and live with what they get. IdPs can configure the default method to use for an SP that can't request what it wants, but deployments can be much more complex in practice involving user opt-in scenarios and lots of context-specific rules to influence behavior, and that's all ultimately going to need scripting to coordinate and enforce.

> I couldn't find much information in the docs on how to set up the
> configuration for the specific combination above, though - only MFA-flow 

That is how. You have to do the work because only you know what you want it to do.

> Currently, my colleagues and I are using U2F-flow with the U2F-plugin.

That is inherently going to be a problem for the reason I stated, unless it's been redone for 3.3.

> The developer stated, that there's a programmatical approach required, a
> plugin for IdP, Javascript or a Java bean of sorts, to manage the
> x509Authn-flow, i. e. deactivating the U2F-plugin (there's supposed to
> be an API switch for that)

I don't know what means.

> and extracting user principal or SAN from the
> client cert information provided from the env vars of Apache.

The X509 flow is used when you want to operate on a certificate. If you want to pull in identity from Apache, that's RemoteUser. Just because Apache got it from a certificate doesn't make it a certificate flow from the IdP perspective, though it may mean altering the context classes in the supportedPrincipals collection of the RemoteUser flow descriptor to indicate that the actual process wasn't a password.

> As I've learned, Shibboleth 3.x implements a MFA-flow compatible
> x509-Authn flow already, which is configured in x509-authn-config.xml.
> but it's not supposed to work with U2F via Yubikey (or other plugins)
> out-of-the-box.

It's orthogonal, U2F isn't an X.509 authentication mechanism. All correctly implemented login flows are "MFA compatible" since the MFA flow can run and combine the results of any login flows. The name of the MFA flow derives from its common usage, but all it really is is an orchestration layer. It doesn't know what mechanisms it's calling or combining or whether it actually has to do two things or not.

> Does someone have any experience and thought on this kind of setup, even.

You have to be more specific, but any answer here starts with learning the MFA flow and scripting it to do things you want done.

-- Scott

More information about the users mailing list