Shibboleth MFA questions

Andrew Morgan morgan at
Mon May 22 19:02:51 EDT 2017

On Tue, 23 May 2017, s-awinte at wrote:

> Well, I assumed that building a user principal name (or canonicalized
> subject, if you will) would be done via reading client cert attributes
> handed over from Apache via:
> SSLOptions +ExportCertData -StdEnvVars
> Probably via a c14n flow, as mentioned by Stefan, or maybe by
> configuring the MFA-flow with the right bean, as in the DUO-flow - but
> which, and how?
> As for
> and CanonicalUsernameLookupStrategy - I've found a reference on this page:
> But no example, on the Shib wiki page above, at least none, which seems
> to be accessible from there - are the boxed captions supposed to contain
> any additional information?
> If so, they are not rendered in my FF browser.

You have to click on the words "Expand source" on the right-hand side of 
the box.  You'll see the example code in the expanded box.

When using the MFA flow, please remember that it is actually just a way to 
orchestrate multiple authentication methods, chaining them together 
according to rules.  You should start by understanding how the individual 
authentication methods work.  Check out the X509AuthnConfiguration.  Based 
on your description, it sounds like X509 will be your first factor.


More information about the users mailing list