Shibboleth MFA questions

s-awinte at s-awinte at
Mon May 22 15:55:56 EDT 2017

Configuration and scripting examples would be very much appreciated, yes.

I'm pretty new to the Shibboleth context and the docs on the website are
somewhat abstract to me.
It seems not to be easy to figure out, which configurations have to be
changed in which ways, to achieve (more advanced) tasks, in a
straightforward manner.

Basically, I need require some resources, on how and where to start -
examples are often quite helpful in understanding how an API works and
how it's used.

Currently, I'm rather tied up in a variety of tasks, one of which is
making Shibboleth x509Authn via MFA-flow work along with Stefan's
Which unfortunately means, I haven't got much time at hand for research
and digging - provided I knew where. Cert-based authn should be a common
task to do, and plenty of information should be around for that - so I
figured. But it seems, that's not neccessarily the case, even for
standard MFA usage. Now, there's the the additional task of 'marrying'
U2F and x509auth.

So, any input on how to do things, additional information on how and
what to 'script', is very welcome.


Am 22.05.2017 um 12:49 schrieb Stefan Wold:
> On Wed, May 17, 2017 at 11:29 PM Cantor, Scott <cantor.2 at> wrote:
>> On 5/17/17, 5:06 PM, "users on behalf of s-awinte at" <
>> users-bounces at on behalf of s-awinte at> wrote:
>>> I'd like to get your opinion and hints on using MFA-flow with x509Authn
>> and U2F with pw + uname + Yubikey via plugin (which we're using already):
>>> GitHub - Ratler/shibboleth-mfa-u2f-auth: U2F multifactor authentication
>> Basically anything written prior to 3.3 is suspect and will probably not
>> work except in isolation when used by itself or alongside other methods
>> that aren't being combined with it. X.509 OR Password is fine. X.509 OR
>> (Password + something) will not be fine because the "something" won't be
>> doing things properly because there wasn't a proper way to do it. It's not
>> a criticism, it's a gap in the original design that people rushed to
>> circumvent before there was a real way to do it.
> Let me add some context here that should make it a bit more clear what
> Armin is trying to do. The U2F plugin should be fully compatible with Shib
> 3.3, and it should behave just like the built in DUO plugin by getting the
> username
> from net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy.
> I don't think X509Authn actually produces a "username" without creating a
> Subject Canonicalization flow that can pull a username out of the subject.
> I haven't really used X509Authn myself, but I'm guessing that by default
> the subject is based on the certificates subject DN? That subject most
> likely does not match a username in for example LDAP/AD.
> An example how to configure a Subject C14N flow to populate a "username"
> based on the X509Authn subject is probably what Armin was asking for.
> Cheers,
> Stefan

More information about the users mailing list