SP step-up authentication

[Plovich, Tony]

> That's because you didn't enforce it, and that hole would be there whether you use an override or not.
>
> The use of an override is the only way to force the behavior statically so that users don't get bad behavior. If the application itself does the enforcing, it can respond to failure by issuing a login request with a redirect to /Login and specify the authnContextClassRef to use, so you get seamless behavior, and that doesn't take an override.
Thanks for the heads up, I'll look into updating the access control 
rules as well as adding the override.

Has there been any thought about making the redirect behavior something 
the access control system can do?  It can be difficult to get people to 
extend their app.

Tony Plovich (aplovich at anl.gov)
Business Information Systems (BIS)
Argonne National Laboratory

On 4/29/19 11:50 AM, Cantor, Scott wrote:
> On 4/29/19, 12:37 PM, "users on behalf of Plovich, Tony" <users-bounces at shibboleth.net on behalf of aplovich at anl.gov> wrote:
>
>> I tried securing them with a native Apache content setting:
> That doesn't secure it. Securing it is done by requiring the necessary AuthnContext class you want to require with authz. The step you took is the sugar, it's simply the thing that automates the process of getting the IdP to give you that, but without enforcement, you've done nothing.
>
>> However, it was discovered that a user could authenticate to app2 with a password and then enter app1 without being
>> sent back to the IDP to auth with a smartcard.  After reading
> That's because you didn't enforce it, and that hole would be there whether you use an override or not.
>
> The use of an override is the only way to force the behavior statically so that users don't get bad behavior. If the application itself does the enforcing, it can respond to failure by issuing a login request with a redirect to /Login and specify the authnContextClassRef to use, so you get seamless behavior, and that doesn't take an override.
>
> -- Scott
>
>