SP requesting MFA login

Jeffrey Williams jfwillia at uncg.edu
Tue Sep 17 12:58:32 EDT 2019

I'm looking for guidance on the best approach to a request.

We're currently running 3.3.3 using the native Duo plugin and the IDP has
only one flow. It's scripted to check to see if the user is enrolled in MFA
before presenting authn/Duo.

We have a vendor using Shibboleth SP that we're looking to integrate with
and one of the requirements is that authorized users must MFA into the
service.  My first thought was to have the SP configured their
authnContextClassRef   to our MFA value ("https://refeds.org/profile/mfa").
However, it seems that the IdP's authentication flow short-circuits after
1FA and sends an error back to the SP saying:

> SAML response reported an IdP error.
> Error from identity provider:
> *Sub-Status:* urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext
> *Message:* An error occurred.
*Status:* urn:oasis:names:tc:SAML:2.0:status:Requester

With the following in the IdP logs:

2019-09-16 19:21:30,180 - INFO
[net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:152] -
Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'jfwillia'
2019-09-16 19:21:30,191 - DEBUG
[net.shibboleth.idp.session.impl.DetectIdentitySwitch:148] - Profile Action
DetectIdentitySwitch: No previous session found, nothing to do
2019-09-16 19:21:30,191 - WARN
[net.shibboleth.idp.authn.impl.FinalizeAuthentication:179] - Profile Action
FinalizeAuthentication: Authentication result for flow authn/MFA did not
satisfy the request
2019-09-16 19:21:30,195 - WARN
[org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
occurred while processing the request: RequestUnsupported

This is regardless of MFA enrollment.

I checked through the docs and didn't find anything that seemed to answer
the question.  Is there a way to maintain the single authentication flow
and have it only authenticate MFA users for this SP?

Jeffrey Williams
Identity Engineer
Identity & Access Services
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190917/4468b7a7/attachment.html>

More information about the users mailing list