Using an activation condition with a MFA transition map
Guillaume Rousse
guillaume.rousse at renater.fr
Wed Sep 18 08:50:47 EDT 2019
While trying to figure out how to script a network-based condition for
MFA flow selection, I found the Activation Condition documentation:
https://wiki.shibboleth.net/confluence/display/IDP30/ActivationConditions
I couldn't succeed using the Client Address Ranges example with MFA
transition map, tough.
This doesn't work:
<bean id="MyCondition"
class="org.opensaml.profile.logic.IPRangePredicate"
p:httpServletRequest-ref="shibboleth.HttpServletRequest"
p:ranges="#{ '192.168.1.0/24', '192.168.2.0/28' }" />
<entry key="authn/Flow1">
<bean
parent="shibboleth.authn.MFA.Transition"
p:activationCondition-ref="MyCondition" />
</entry>
-> invalid property error
And this doesn't either:
<entry key="authn/Flow1">
<bean
parent="shibboleth.authn.MFA.Transition"
p:nextFlowStrategy-ref="MyCondition" />
</entry>
-> invalid type error.
While the documentation explicitely mentions "Limiting when
authentication flows may be used" as a potentiel use case for this
feature, I guess it only applies to top-level flow selection, not
subflow transition inside MFA flow.
Did I miss something here ?
Regards.
--
Guillaume Rousse
Pôle SSI
Tel: +33 1 53 94 20 45
www.renater.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20190918/314b0328/attachment.p7s>
More information about the users
mailing list