SP requesting MFA login
Jeffrey Williams
jfwillia at uncg.edu
Tue Sep 17 22:38:54 EDT 2019
On Tue, Sep 17, 2019 at 6:53 PM Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 9/17/19, 3:20 PM, "users on behalf of Jeffrey Williams" <
> users-bounces at shibboleth.net on behalf of jfwillia at uncg.edu> wrote:
>
> > David is correct. Apologies for the lack of detail. Any user,
> regardless of their MFA enrollment status, will encounter
> > that error when they try to log into an SP that is requesting the MFA
> profile. Here is how our flow looks today(largely
> >> adapted from our 2.x environment that used this as a reference)
>
> I think you have the logic backwards.
>
> > if (mfaCtx.isAcceptable()) {
> > // Attribute check is required to decide if first
> factor alone is enough.
>
> This conditional is (abstractly speaking) checking whether the SP is
> asking for anything beyond a password, but it's only executing your
> attribute logic if it *isn't*. So the SP asking for MFA is bypassing it.
>
You are correct. That is indeed (partially) the reverse of what I'd want.
I'd like for enrolled users to be presented with the Duo pane, regardless
of what the SP requests. However, if they're not enrolled and password is
insufficient, throw an error. Otherwise, complete successfully. I played
around with the logic a bit and came up with:
nextFlow = null;
//JFW: Adding logger per Shweta's comment
logger =
Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute.resolver");
// Go straight to second factor if we have to, or set up
for an attribute lookup first.
authCtx =
input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
mfaCtx =
authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
//JFW: Negate and move mfaCtx.isAcceptable() to an else
if after checking for enrollment.
// Attribute check is required to decide if first
factor alone is enough.
resCtx = input.getSubcontext(
"net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext",
true);
resCtx.setPrincipal(input.getSubcontext(
"net.shibboleth.idp.authn.context.SubjectCanonicalizationContext").getPrincipalName());
resCtx.getRequestedIdPAttributeNames().add("ADmemberOf");
resCtx.resolveAttributes(custom);
// Check for an attribute that authorizes use of first
factor.
attribute =
resCtx.getResolvedIdPAttributes().get("ADmemberOf");
valueType =
Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
//JFW: regardless of what's requested from the SP, if the
user is enrolled, present them with the Duo prompt
if (attribute != null && attribute.getValues().contains(new
valueType("CN=Duo_stagedactive2FA,OU=Duo,OU=apps,OU=groups,O=uncg"))) {
logger.info(" User in Duo_stagedactive2FA,
Prompting for DUO ");
nextFlow = "authn/Duo";
} else if (!mfaCtx.isAcceptable()) { //JFW: however,
if they're not enrolled and password just isn't good enough...
//JFW: I'd like to throw an error page up
to the user, saying that the SP requires MFA in order to proceed
logger.info("SP requires MFA, of which this
user is not enrolled. Failing out");
}
input.removeSubcontext(resCtx); // cleanup
nextFlow; // pass control to second factor or end with
the first
I *think* this is doing what I intend, but I'd also like it to throw an
error page on the IdP side if the SP requires MFA and the user is not
enrolled. Would I use a custom event as described here to handle that, or
is there a better way(
https://wiki.shibboleth.net/confluence/display/IDP30/AuthenticationConfiguration#AuthenticationConfiguration-CustomEvents
)?
--
Jeffrey Williams
Identity Engineer
Identity & Access Services
https://its.uncg.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190917/869f8507/attachment.html>
More information about the users
mailing list