No attributes after enabling MFA flow

Andrew Morgan morgan at orst.edu
Thu May 17 00:33:15 EDT 2018 

Paul,

Did you cleanup the resCtx?  I remember Scott pointed out to me that you 
have to include something like this:

   input.removeSubcontext(resCtx);   // cleanup

near the end of your MFA script.  Something about it stepping on later 
attribute resolution...

In my case, I have that cleanup as the last line before I return nextflow.

Thanks,
 	Andy


On Wed, 16 May 2018, Paul B. Henson wrote:

> On Thu, May 17, 2018 at 03:34:42AM +0000, Paul B. Henson wrote:
>> I'm going to call it a night and revisit this in the morning, but any
>
> Hmm, well, I tried one quick thing before giving up; if I change my MFA
> checkSecondFactor script to be just:
>
> nextFlow = 'authn/Duo';
> nextFlow;
>
> attributes show up. So there must be something goofy in my more
> complicated script <sigh>. I didn't think I was having this problem when
> I was initially testing in dev, but after updating the MFA selection
> logic to something more complicated I think I only tested with CAS
> services, not SAML ones, in my dev environment.
>
> Does anything jump out as broken in this?
>
> // list of regular expressions for MFA strictly required service providers
> mfa_sp_regexes = [
>                   'https://login.calstate.edu/cfs/mfa',
>                 ];
>
> logger = Java.type('org.slf4j.LoggerFactory').getLogger('mfa-check');
>
> authCtx = input.getSubcontext('net.shibboleth.idp.authn.context.AuthenticationContext');
> mfaCtx = authCtx.getSubcontext('net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext');
>
> nextFlow = null;
>
> resCtx = input.getSubcontext('net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext', true);
> usernameLookupStrategyClass = Java.type('net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy');
> usernameLookupStrategy = new usernameLookupStrategyClass();
> resCtx.setPrincipal(usernameLookupStrategy.apply(input));
> resCtx.getRequestedIdPAttributeNames().add('cppEduPersonStatusFlag');
> resCtx.resolveAttributes(custom);
> status_flag = resCtx.getResolvedIdPAttributes().get('cppEduPersonStatusFlag');
>
> stringType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
> if (status_flag != null && status_flag.getValues().contains(new stringType('duo_activated'))) {
>                        logger.info('user has Duo available');
>                        nextFlow = 'authn/Duo';
> }
> else {
>        rpid = profileContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext').getRelyingPartyId();
>        logger.info('no Duo available for user');
>        // 'every' returns true if the check returns true for every element, or
>        //   false as soon as a check returns false. So it will return true if none
>        //   of the regexps match the SP, or false as soon as one does.
>        if (!mfa_sp_regexes.every(function(element)
>                { re = new RegExp(element); return !re.test(rpid); })) {
>                        logger.info('SP ' + rpid + ' requires MFA, failing');
>                        mfaCtx.setEvent('MFAlacking');
>        }
> }
>
> nextFlow;
>
>
>
> Thanks...
>
> -- 
> Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
> Operating Systems and Network Analyst  |  henson at cpp.edu
> California State Polytechnic University  |  Pomona CA 91768
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>

More information about the users mailing list