more mfa scripting logic
Lee Foltz
foltz2 at oakland.edu
Mon Feb 5 15:34:51 EST 2018
Brad,
We did the following for Banner 9 services.
We created this entry in relying party. Then all we do is add the CAS
services we want to use MFA in cas-protocol.xml to the
mfa-services p:group="mfa-services"
<bean parent="RelyingPartyByGroup" c:groupNames="mfa-services">
<property name="profileConfigurations">
<list>
<bean parent="CAS.LoginConfiguration">
<property name="defaultAuthenticationMethods">
<list>
<bean
parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="
http://id.incommon.org/assurance/mfa" />
<!--<bean
parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
/>-->
</list>
</property>
</bean>
<bean parent="CAS.ProxyConfiguration" />
<bean parent="CAS.ValidateConfiguration" />
</list>
</property>
</bean>
Then in cas-protocol.xml we did this
<!-- Banner Application Navigator -->
<bean
class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="https://somebox.name.edu:8443(/.*)?"
p:group="mfa-services"
p:authorizedToProxy="true"
p:singleLogoutParticipant="true" />
All our other CAS services are just "authn/Password", but if we add them to
this p:group it uses authn/DUO after authn/Password.
One nice feature is since the cas file reloads every 15 minutes, we don't
have to restart service to add a new MFA service.
On Mon, Feb 5, 2018 at 1:57 PM, Mathis, Bradley <bmathis at pima.edu> wrote:
> Howdy all,
>
> I'm successfully using mfa logic to send specific users to Duo
> Authentication, thanks to the samples/documentation/wiki and postings from
> users here on users at shibboleth.net
> I'm now adding another piece of mfa logic to the mfa-authn-config.xml
> checksecondfactore inline script.
>
> Prior to checking for specific user attributes I'm now first checking the
> RelyingPartyId to see if Duo is needed. I'm able to do this
> successfully after stealing some example logic that Andrew Morgan posted
> ..Thanks Andrew!
>
>
> This is an excerpt from my mfa-authn-config.xml
>
> rpid = profileContext.getSubcontext("
> net.shibboleth.idp.profile.context.RelyingPartyContext").
> getRelyingPartyId();
> if (rpid.equals("https://banner-temp.pima.edu/
> applicationNavigator/j_spring_cas_security_check")) {
> nextFlow = "authn/Duo";
> }
>
>
> The above works if I add an if statement for every RelyingPartyId
> separately. I was hoping I might be able to use a regular expression and
> do a pattern match or something like that (my terminology is probably
> wrong). I'm not a programmer.
>
>
> e.g.
>
> Let's say I have multiple RelyingPartyIds like this
>
> https://banner-temp.pima.edu/applicationNavigator/j_spring_
> cas_security_check
> https://banner-dev.pima.edu/applicationNavigator/j_spring_
> cas_security_check
> https://banner-test.pima.edu/applicationNavigator/j_spring_
> cas_security_check
> https://banner-prod.pima.edu/applicationNavigator/j_spring_
> cas_security_check
> rather than creating an if statement for each one I would like to do a
> pattern match up against something like this
>
> (https:\/\/.+(pima.edu\/applicationNavigator\/j_
> spring_cas_security_check)\/?.*)
>
>
> and if it's true then set the nextFlow = "authn/Duo"
>
>
> Anyone one have a sample I can hack at? If not no worries I'm very happy
> with my success so far and can probably live with adding each one
> separately.
>
>
> Thanks!
>
>
>
>
> Brad Mathis
> Principal Systems Analyst
> Pima Community College
> IT - Technical Services
> 520.206.4826
> bmathis at pima.edu
>
>
>
>
>
>
>
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
--
Lee Foltz
Oakland University - UTS
Senior Identity Systems Engineer
248-370-2675
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180205/5781e5a1/attachment.html>
More information about the users
mailing list