more mfa scripting logic
Lee Foltz
foltz2 at oakland.edu
Tue Feb 6 08:46:37 EST 2018
Brad,
We are using authn/Password, then authn/Duo for Banner Admin pages.
Everything else uses just authn/Password
We have over 50 other CAS services and are only enabling the DUO part for
Banner admin pages as this point, but we can easily add other services.
For licensing costs with DUO, we are only enabling DUO as second factor for
specific CAS services or SAML services via relying party.
In general-authn.xml we are doing this. In the relying party is where we
are using the CAS group to only have those services use DUO.
<!-- added for DUO-->
<bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true" />
<bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
p:forcedAuthenticationSupported="true" p:nonBrowserSupported="false">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="http://id.incommon.org/assurance/mfa" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="http://id.incommon.org/assurance/mfa" />
</list>
</property>
</bean>
<bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="false"
p:forcedAuthenticationSupported="true" p:nonBrowserSupported="false">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
/>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="http://id.incommon.org/assurance/mfa" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="http://id.incommon.org/assurance/mfa" />
</list>
</property>
</bean>
In mfa-authn-config.xml we did this.
<util:map id="shibboleth.authn.MFA.TransitionMap">
<!-- First rule runs the Password login flow. -->
<entry key="">
<bean parent="shibboleth.authn.MFA.Transition"
p:nextFlow="authn/Password" />
</entry>
<!-- Second rule runs a function if Password succeeds, to determine
whether an additional factor is required. -->
<entry key="authn/Password">
<bean parent="shibboleth.authn.MFA.Transition"
p:nextFlowStrategy-ref="checkSecondFactor" />
</entry>
<!-- An implicit final rule will return whatever the final flow
returns. -->
</util:map>
<!-- Example script to see if second factor is required. -->
<bean id="checkSecondFactor"
parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript">
<constructor-arg>
<value>
<![CDATA[
nextFlow = "authn/Duo";
nextFlow; // pass control to second factor or end with
the first
]]>
</value>
</constructor-arg>
</bean>
On Mon, Feb 5, 2018 at 4:10 PM, Mathis, Bradley <bmathis at pima.edu> wrote:
> Thanks Lee, I like the idea of using a group for the CAS/MFA service. I
> may try to use that.
>
> The part I don't get from your example (and it's definitely my lack
> understanding) ... where is that you are forcing DUO for those Banner/Cas
> services?
>
> Also do you have more than one authentication type enabled? I only have
> MFA enabled. I was specifying the MFA authentication in the relyingparty
> config file also but took it out when I realized that to do OPT in for Duo
> on everything I was going to have to send everything to the MFA flow. Your
> suggestion might work for me (or at least part of it) .... I will have to
> think it through and test it out.
>
> Thanks for your input!
>
>
> Brad Mathis
> Principal Systems Analyst
> Pima Community College
> IT - Technical Services
> 520.206.4826
> bmathis at pima.edu
>
>
>
>
>
>
>
>
> On Mon, Feb 5, 2018 at 1:34 PM, Lee Foltz <foltz2 at oakland.edu> wrote:
>
>> Brad,
>> We did the following for Banner 9 services.
>>
>> We created this entry in relying party. Then all we do is add the CAS
>> services we want to use MFA in cas-protocol.xml to the
>> mfa-services p:group="mfa-services"
>>
>> <bean parent="RelyingPartyByGroup" c:groupNames="mfa-services">
>> <property name="profileConfigurations">
>> <list>
>> <bean parent="CAS.LoginConfiguration">
>> <property name="defaultAuthenticationMethods">
>> <list>
>> <bean parent="shibboleth.SAML2AuthnC
>> ontextClassRef"
>> c:classRef="http://id.incommon
>> .org/assurance/mfa" />
>> <!--<bean parent="shibboleth.SAML2AuthnC
>> ontextClassRef"
>> c:classRef="urn:oasis:names:tc
>> :SAML:2.0:ac:classes:PasswordProtectedTransport" />-->
>> </list>
>> </property>
>> </bean>
>> <bean parent="CAS.ProxyConfiguration" />
>> <bean parent="CAS.ValidateConfiguration" />
>> </list>
>> </property>
>> </bean>
>>
>> Then in cas-protocol.xml we did this
>>
>> <!-- Banner Application Navigator -->
>> <bean class="net.shibboleth.idp.cas.
>> service.ServiceDefinition"
>> c:regex="https://somebox.name.edu:8443(/.*)?"
>> p:group="mfa-services"
>> p:authorizedToProxy="true"
>> p:singleLogoutParticipant="true" />
>>
>> All our other CAS services are just "authn/Password", but if we add them
>> to this p:group it uses authn/DUO after authn/Password.
>> One nice feature is since the cas file reloads every 15 minutes, we don't
>> have to restart service to add a new MFA service.
>>
>>
>>
>> On Mon, Feb 5, 2018 at 1:57 PM, Mathis, Bradley <bmathis at pima.edu> wrote:
>>
>>> Howdy all,
>>>
>>> I'm successfully using mfa logic to send specific users to Duo
>>> Authentication, thanks to the samples/documentation/wiki and postings from
>>> users here on users at shibboleth.net
>>> I'm now adding another piece of mfa logic to the mfa-authn-config.xml
>>> checksecondfactore inline script.
>>>
>>> Prior to checking for specific user attributes I'm now first checking
>>> the RelyingPartyId to see if Duo is needed. I'm able to do this
>>> successfully after stealing some example logic that Andrew Morgan posted
>>> ..Thanks Andrew!
>>>
>>>
>>> This is an excerpt from my mfa-authn-config.xml
>>>
>>> rpid = profileContext.getSubcontext("
>>> net.shibboleth.idp.profile.context.RelyingPartyContext").get
>>> RelyingPartyId();
>>> if (rpid.equals("https://banner-t
>>> emp.pima.edu/applicationNavigator/j_spring_cas_security_check")) {
>>> nextFlow = "authn/Duo";
>>> }
>>>
>>>
>>> The above works if I add an if statement for every RelyingPartyId
>>> separately. I was hoping I might be able to use a regular expression and
>>> do a pattern match or something like that (my terminology is probably
>>> wrong). I'm not a programmer.
>>>
>>>
>>> e.g.
>>>
>>> Let's say I have multiple RelyingPartyIds like this
>>>
>>> https://banner-temp.pima.edu/applicationNavigator/j_spring_c
>>> as_security_check
>>> https://banner-dev.pima.edu/applicationNavigator/j_spring_ca
>>> s_security_check
>>> https://banner-test.pima.edu/applicationNavigator/j_spring_c
>>> as_security_check
>>> https://banner-prod.pima.edu/applicationNavigator/j_spring_c
>>> as_security_check
>>> rather than creating an if statement for each one I would like to do a
>>> pattern match up against something like this
>>>
>>> (https:\/\/.+(pima.edu\/applicationNavigator\/j_spring_cas_s
>>> ecurity_check)\/?.*)
>>>
>>>
>>> and if it's true then set the nextFlow = "authn/Duo"
>>>
>>>
>>> Anyone one have a sample I can hack at? If not no worries I'm very
>>> happy with my success so far and can probably live with adding each one
>>> separately.
>>>
>>>
>>> Thanks!
>>>
>>>
>>>
>>>
>>> Brad Mathis
>>> Principal Systems Analyst
>>> Pima Community College
>>> IT - Technical Services
>>> 520.206.4826 <(520)%20206-4826>
>>> bmathis at pima.edu
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> For Consortium Member technical support, see
>>> https://wiki.shibboleth.net/confluence/x/coFAAg
>>> To unsubscribe from this list send an email to
>>> users-unsubscribe at shibboleth.net
>>>
>>
>>
>>
>> --
>> Lee Foltz
>> Oakland University - UTS
>> Senior Identity Systems Engineer
>>
>> 248-370-2675 <(248)%20370-2675>
>>
>> --
>> For Consortium Member technical support, see
>> https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
--
Lee Foltz
Oakland University - UTS
Senior Identity Systems Engineer
248-370-2675
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180206/849d4579/attachment.html>
More information about the users
mailing list