SP requesting MFA login

Jeffrey Williams jfwillia at uncg.edu
Tue Sep 17 22:38:54 EDT 2019

On Tue, Sep 17, 2019 at 6:53 PM Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 9/17/19, 3:20 PM, "users on behalf of Jeffrey Williams" <
> users-bounces at shibboleth.net on behalf of jfwillia at uncg.edu> wrote:
> > David is correct.  Apologies for the lack of detail.  Any user,
> regardless of their MFA enrollment status, will encounter
> > that error when they try to log into an SP that is requesting the MFA
> profile.  Here is how our flow looks today(largely
> >> adapted from our 2.x environment that used this as a reference)
> I think you have the logic backwards.
> >                if (mfaCtx.isAcceptable()) {
> >                    // Attribute check is required to decide if first
> factor alone is enough.
> This conditional is (abstractly speaking) checking whether the SP is
> asking for anything beyond a password, but it's only executing your
> attribute logic if it *isn't*. So the SP asking for MFA is bypassing it.

You are correct.  That is indeed (partially) the reverse of what I'd want.
I'd like for enrolled users to be presented with the Duo pane, regardless
of what the SP requests.  However, if they're not enrolled and password is
insufficient, throw an error.  Otherwise, complete successfully.   I played
around with the logic a bit and came up with:

   nextFlow = null;

                //JFW: Adding logger per Shweta's comment
                logger =

                // Go straight to second factor if we have to, or set up
for an attribute lookup first.
                authCtx =
                mfaCtx =
                    //JFW: Negate and move mfaCtx.isAcceptable() to an else
if after checking for enrollment.
                    // Attribute check is required to decide if first
factor alone is enough.
                    resCtx = input.getSubcontext(




                    // Check for an attribute that authorizes use of first
                    attribute =
                    valueType =
                //JFW: regardless of what's requested from the SP, if the
user is enrolled, present them with the Duo prompt
                if (attribute != null && attribute.getValues().contains(new
valueType("CN=Duo_stagedactive2FA,OU=Duo,OU=apps,OU=groups,O=uncg"))) {
                        logger.info(" User in Duo_stagedactive2FA,
Prompting for DUO ");
                        nextFlow = "authn/Duo";
                    } else if (!mfaCtx.isAcceptable()) {  //JFW: however,
if they're not enrolled and password just isn't good enough...
                                //JFW: I'd like to throw an error page up
to the user, saying that the SP requires MFA in order to proceed
                                logger.info("SP requires MFA, of which this
user is not enrolled.  Failing out");
                input.removeSubcontext(resCtx);   // cleanup

                nextFlow;   // pass control to second factor or end with
the first

I *think* this is doing what I intend, but I'd also like it to throw an
error page on the IdP side if the SP requires MFA and the user is not
enrolled.  Would I use a custom event as described here to handle that, or
is there a better way(

Jeffrey Williams
Identity Engineer
Identity & Access Services
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190917/869f8507/attachment.html>

More information about the users mailing list