Shibboleth MFA questions
Andrew Morgan
morgan at orst.edu
Mon May 22 19:02:51 EDT 2017
On Tue, 23 May 2017, s-awinte at haw-landshut.de wrote:
> Well, I assumed that building a user principal name (or canonicalized
> subject, if you will) would be done via reading client cert attributes
> handed over from Apache via:
>
> SSLOptions +ExportCertData -StdEnvVars
>
> Probably via a c14n flow, as mentioned by Stefan, or maybe by
> configuring the MFA-flow with the right bean, as in the DUO-flow - but
> which, and how?
>
> As for
> https://wiki.shibboleth.net/confluence/display/IDP30/MultiFactorAuthnConfiguration
> and CanonicalUsernameLookupStrategy - I've found a reference on this page:
> http://shibboleth.1660669.n2.nabble.com/IDPv3-3-and-programmatically-selecting-MFA-based-on-attribute-td7630903.html
>
> But no example, on the Shib wiki page above, at least none, which seems
> to be accessible from there - are the boxed captions supposed to contain
> any additional information?
> If so, they are not rendered in my FF browser.
You have to click on the words "Expand source" on the right-hand side of
the box. You'll see the example code in the expanded box.
When using the MFA flow, please remember that it is actually just a way to
orchestrate multiple authentication methods, chaining them together
according to rules. You should start by understanding how the individual
authentication methods work. Check out the X509AuthnConfiguration. Based
on your description, it sounds like X509 will be your first factor.
Andy
More information about the users
mailing list