FW: MFA for Incommom members

NAINI, NIKHIL NAINI at mailbox.sc.edu
Tue Jul 2 11:40:00 EDT 2019

Good Afternoon Gentlemen,

I have a question about MFA implementation for Incommom members (SP). We’re having difficult with one such Particular vendor (CollegeNET Inc.) – there’s multiple applications being hosted with the same EntityID, and one of the applications requested MFA be added. By default, I went ahead and added it based on the logic: getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext").getRelyingPartyId();

This resulted in MFA being applied to all of the Vendor’s applications, and some of them have resource accounts that do not have a way around MFA. Did anyone else run into this kind of a situation? I tried to look for an alternate way to try and apply the MFA. One potential way I was considering was to filter it based on the End Point Resolver value – I did find one reference in the idp-saml-api-3.3.1.jar, unsure how to extract it out and use it though.

ClassName: net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts
Function: doExecute
Variable: resolvedEndpoint.getLocation()

Are there any other ways the Endpoint URL can be extracted and used to apply MFA on ? Would this cause any security concerns ? Can someone please provide some insights/suggestions on how to address this ? 😊

The concerned data:

Entity ID/Relying Party ID (the same for both Apps): https://corp.collegenet.com/shibboleth-sp/

Endpoint Resolver Values:

  *   25Live  https://25live.collegenet.com/sc/Shibboleth.sso/SAML2/POST
  *   AW https://admit.applyweb.com/admit/shibboleth/sc/Shibboleth.sso/SAML2/POST

Thank you,
Nikhil Naini.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190702/695b9c56/attachment.html>

More information about the users mailing list