Use AttributePredicate in MFA-config
Philip Brusten
philip.brusten at kuleuven.be
Fri Mar 16 08:21:20 EDT 2018
Hi
We have use cases where we want to trigger our strong authentication
method for certain users in combination with an applications.
I created some activationConditions using the compound logic, attribute
checking & specific relying party checks in order to evaluate them in
the script-logic that will eventually trigger our second factor.
When I try to evaluate that predicate (see
"MFAActivationCondition.apply(input)"), I get:
WARN [net.shibboleth.idp.profile.logic.AbstractAttributePredicate:88] -
No AttributeContext located for evaluation -
What are the preconditions to use the attribute predicates during
authentication?
Before I evaluate the compound predicate, I already create the
AttributeResolverContext for the current user (known from the first
factor) and resolve an attribute. Doesn't this set the AttributeContext?
Some snippets from the script:
#####
resCtx =
input.getSubcontext("net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext",
true);
resCtx.setPrincipal(username);
logger.debug('resolving attrs for ' + username);
resCtx.getRequestedIdPAttributeNames().add("MFAPreferredMethod");
resCtx.resolveAttributes(custom.get("AttributeResolverService"));
MFAActicationCondition = custom.get("MFAActicationCondition");
isMFAObligated = MFAActicationCondition.apply(input);
####
Thanks,
Philip
More information about the users
mailing list