Autumn flow: MFA and Password interoperability

NAINI, NIKHIL NAINI at mailbox.sc.edu
Fri Jul 12 12:16:36 EDT 2019 

https://wiki.shibboleth.net/confluence/display/IDP30/MultiFactorAuthnConfiguration#MultiFactorAuthnConfiguration-RunningLoginFlowsandReusingResults
This page has some info on how to re-use the MFA flows

If you actually need to pull out the values, can you try this : getAuthenticationFlowDescriptor().getId()?

Not sure which subtree it would come under (or how to retrieve it's subcontext) but the class name is : net.shibboleth.idp.authn.impl. FinalizeMultiFactorAuthentication
It's in the jar file: idp-authn-impl-3.3.1.jar

It's also configured in the system beans in the file: shibboleth-idp/system/flows/authn/mfa-authn-beans.xml

    <bean id="FinalizeMultiFactorAuthentication" scope="prototype"
        class="net.shibboleth.idp.authn.impl.FinalizeMultiFactorAuthentication"
        p:resultMergingStrategy="#{getObject('shibboleth.authn.MFA.resultMergingStrategy')}" <-- This would be what we're interested in.
        p:resultCachingPredicate="#{getObject('shibboleth.authn.MFA.resultCachingPredicate')}" />



-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Mak, Steve
Sent: Friday, July 12, 2019 11:30 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Autumn flow: MFA and Password interoperability

So I've converted everything to MFA flow and built a bypass in the checkSecondFactor script and set reuseCondition="false" on authn/MFA.

If I need to run some code block ONLY if the Duo flow was previously NOT run, how would I do that?

I've tried comparing authContext.getActiveResults().get('authn/MFA') with authContext.getAuthenticationResult() and authContext.getInitialAuthenticationResult(),

But none of that seems to work.

2019-07-12 10:15:00,266 - INFO [authn/MFA-checkSecondFactor:12] - Authentication result: null
2019-07-12 10:15:00,266 - INFO [authn/MFA-checkSecondFactor:15] - Previous authn/MFA results: AuthenticationResult{authenticationFlowId=authn/MFA, authenticatedPrincipal=blahblah, authenticationInstant=2019-07-12T10:14:52.314-04:00, lastActivityInstant=2019-07-12T10:14:52.314-04:00, previousResult=true}

And this is after I logged into a duo app, killed the SP shib_session cookie, and did a full SAML flow again.

- Steve Mak

-- 
For Consortium Member technical support, see https://protect2.fireeye.com/url?k=1e6745fe-42f6bf8e-1e670b3f-0cc47ad32338-ee05f4f8202f5bf8&q=1&u=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list