Ex: Re: idp 4 upgrade, tuning MFA implementation

Paul B. Henson henson at cpp.edu
Fri Apr 24 16:48:44 EDT 2020

> From: Cantor, Scott
> Sent: Friday, April 24, 2020 7:59 AM
> My way of doing this is generally to carefull stick to making sure that the
> resulting Principal set in each result always accurately reflects what methods
> the user did

Ah, ok. How does one make sure of such a thing :)? My current configuration starts off with password:

<entry key=""><bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" />

then proceeds to the second factor check script:

<entry key="authn/Password">
            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />

which either returns null if authentication can proceed without MFA, authn/Duo if MFA is available, or calls mfaCtx.setEvent to generate a custom error if MFA is needed and can't be done. Would this satisfy the condition you mentioned?

>, so if I wanted to check later to see what happened, I could just
> scan the Subject for an AuthnContextClassRefPrincipal of a certain value.

The documentation for configuring and using the idp is really good, but personally I have a lot of trouble with JavaScript that needs to access the various internals. I guess the primary documentation for that is the API documentation:


but without some fair amount of knowledge about the internals, when a requirement comes up such as "scan the Subject for an AuthnContextClassRefPrincipal of a certain value in the MFA reuseCondition script", I always feel like I'm just stumbling around in the dark :(. Should I start digging into net.shibboleth.idp.authn? Or maybe it's in net.shibboleth.idp.authn.principal, or net.shibboleth.idp.authn.principal.impl, or one of a number of other classes that sound promising. And then even if I find it, figuring out how to get my hands on that specific object inside of the script is another journey. There are various examples of scripts in the configuration documentation, but am I missing someplace that has a more general description of how to configure them and how to navigate around the various pieces to get to the data you need?

> just a way of grouping the services under a special RelyingPartyConfiguration
> with an ID that you can check for in your script later to know that it was one
> of those IDs. The RelyingPartyContext has the configuration object, which
> has the ID field.
> There's an example of it in the ActivationConditions page under Relying Party
> By Tag.

I think I've got a hand on the XML configuration, it's just accessing that in the JavaScript that I get lost on.

My current MFA script already gets the RelyingPartyContext:

rpCtx = input.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext");

so from there, I would need to pull the configuration object:

cfg = rpid.getConfiguration();

from which I could then get the ID:

cfg. getId()

and compare it to the ID of the relying party override? I don't see an explicitly provided ID given in the override syntax though? Where does that value come from?

<bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org">
    <property name="profileConfigurations">
        <!-- Your refs or beans here. -->

Thanks much, sorry to be so fumbling here :(.

More information about the users mailing list