Shibboleth MFA questions

Stefan Wold ratler at
Mon May 22 06:49:20 EDT 2017

On Wed, May 17, 2017 at 11:29 PM Cantor, Scott <cantor.2 at> wrote:

> On 5/17/17, 5:06 PM, "users on behalf of s-awinte at" <
> users-bounces at on behalf of s-awinte at> wrote:
> > I'd like to get your opinion and hints on using MFA-flow with x509Authn
> and U2F with pw + uname + Yubikey via plugin (which we're using already):
> > GitHub - Ratler/shibboleth-mfa-u2f-auth: U2F multifactor authentication
> Basically anything written prior to 3.3 is suspect and will probably not
> work except in isolation when used by itself or alongside other methods
> that aren't being combined with it. X.509 OR Password is fine. X.509 OR
> (Password + something) will not be fine because the "something" won't be
> doing things properly because there wasn't a proper way to do it. It's not
> a criticism, it's a gap in the original design that people rushed to
> circumvent before there was a real way to do it.
Let me add some context here that should make it a bit more clear what
Armin is trying to do. The U2F plugin should be fully compatible with Shib
3.3, and it should behave just like the built in DUO plugin by getting the
from net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy.

I don't think X509Authn actually produces a "username" without creating a
Subject Canonicalization flow that can pull a username out of the subject.
I haven't really used X509Authn myself, but I'm guessing that by default
the subject is based on the certificates subject DN? That subject most
likely does not match a username in for example LDAP/AD.

An example how to configure a Subject C14N flow to populate a "username"
based on the X509Authn subject is probably what Armin was asking for.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list