No attributes after enabling MFA flow
Andrew Morgan
morgan at orst.edu
Thu May 17 00:33:15 EDT 2018
Paul,
Did you cleanup the resCtx? I remember Scott pointed out to me that you
have to include something like this:
input.removeSubcontext(resCtx); // cleanup
near the end of your MFA script. Something about it stepping on later
attribute resolution...
In my case, I have that cleanup as the last line before I return nextflow.
Thanks,
Andy
On Wed, 16 May 2018, Paul B. Henson wrote:
> On Thu, May 17, 2018 at 03:34:42AM +0000, Paul B. Henson wrote:
>> I'm going to call it a night and revisit this in the morning, but any
>
> Hmm, well, I tried one quick thing before giving up; if I change my MFA
> checkSecondFactor script to be just:
>
> nextFlow = 'authn/Duo';
> nextFlow;
>
> attributes show up. So there must be something goofy in my more
> complicated script <sigh>. I didn't think I was having this problem when
> I was initially testing in dev, but after updating the MFA selection
> logic to something more complicated I think I only tested with CAS
> services, not SAML ones, in my dev environment.
>
> Does anything jump out as broken in this?
>
> // list of regular expressions for MFA strictly required service providers
> mfa_sp_regexes = [
> 'https://login.calstate.edu/cfs/mfa',
> ];
>
> logger = Java.type('org.slf4j.LoggerFactory').getLogger('mfa-check');
>
> authCtx = input.getSubcontext('net.shibboleth.idp.authn.context.AuthenticationContext');
> mfaCtx = authCtx.getSubcontext('net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext');
>
> nextFlow = null;
>
> resCtx = input.getSubcontext('net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext', true);
> usernameLookupStrategyClass = Java.type('net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy');
> usernameLookupStrategy = new usernameLookupStrategyClass();
> resCtx.setPrincipal(usernameLookupStrategy.apply(input));
> resCtx.getRequestedIdPAttributeNames().add('cppEduPersonStatusFlag');
> resCtx.resolveAttributes(custom);
> status_flag = resCtx.getResolvedIdPAttributes().get('cppEduPersonStatusFlag');
>
> stringType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
> if (status_flag != null && status_flag.getValues().contains(new stringType('duo_activated'))) {
> logger.info('user has Duo available');
> nextFlow = 'authn/Duo';
> }
> else {
> rpid = profileContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext').getRelyingPartyId();
> logger.info('no Duo available for user');
> // 'every' returns true if the check returns true for every element, or
> // false as soon as a check returns false. So it will return true if none
> // of the regexps match the SP, or false as soon as one does.
> if (!mfa_sp_regexes.every(function(element)
> { re = new RegExp(element); return !re.test(rpid); })) {
> logger.info('SP ' + rpid + ' requires MFA, failing');
> mfaCtx.setEvent('MFAlacking');
> }
> }
>
> nextFlow;
>
>
>
> Thanks...
>
> --
> Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/
> Operating Systems and Network Analyst | henson at cpp.edu
> California State Polytechnic University | Pomona CA 91768
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
More information about the users
mailing list