Varying authnContextClassRef requirements by source IP

Robert Bradley robert.bradley at it.ox.ac.uk
Wed Apr 29 13:37:44 EDT 2020


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

At the moment, we have some services that are only available within
the University network.  Given that most people are now working from
home, I was looking into the possibility of an SP requiring two factor
authentication, but only for off-network authentication.

I currently have the following Apache configuration:

<Location />
AuthType Shibboleth
ShibRequestSetting requireSession 1
<RequireAll>
Require shib-attr affiliation member at ox.ac.uk
<RequireAny>
# Example IP range
Require ip 10.0.0.0/8
<RequireAll>
ShibRequestSetting authnContextClassRef
urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
Require authnContextClassRef
urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
</RequireAll>
</RequireAny>
</RequireAll>
</Location>

Line-wrapping aside, this works in that people that are off-network
and aren't authenticated with two-factor authentication are denied
access.  However, if users are only authenticated via a single factor,
they are denied access with no way to upgrade.  (As the
ShibRequestSetting applies regardless of source IP address,
unauthenticated users always end up being asked to authenticate with MFA
.)

What I'd like to be able to do is to send the people who are only
single-factor authenticated back to the IdP to reauthenticate, and for
unauthenticated users to be asked for single or multi-factor depending
on location (but allowing for SSO).  That rules out setting forceAuthn
as far as I know, since all users would have to reauthenticate in that
case.  Does anyone know how to set this up, or know if this is not
possible?

- -- 
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEgF3NFfO9FqlA+ME+lGGnynav474FAl6pu08ACgkQlGGnynav
4778Iw/9Fl/XrE4inCLQpoDAqIN9ivaxM9wxU3v0HYqZKX7TfyNAdtTs0pBy7E3y
qodMkyMHUY72XIKS9+VW0PGjGY0s8aVULNJ1audFA9LOzCKqoK3S3AfWisy6WpMC
b1pBpA/xt3pqUsvr+DAX8BdrOnbshhfab17/JO/JQYp25WpGJYKipQLEwlQLJRg5
gCuvp1ujikYAtDQEC5XkEmKpMvQXd+dpG46ILLBAE06fYwBT6qCcfHwvL8wufJWs
PPDqHVP6yUzx2pUuEY3AkCbDZip7WAr6i2LPJB1+pZysnXL5hSEmNFD9Thro1geA
xyjes25YKF7w+CDczt4x3G9WPD6dkAIyoLvCW99H0eWx64fyOU8x2J8FP//lSBbV
JXfNyWSu2BaPBUQC8JQGeH8EICUihJc7cpy7D0oDX4nrrDMFf8wiP+6CafEdojsk
4WuuHSjT4W1Otw/n6dSQ0bmNlNYQFiCQX8Z1jKdslTIi2xKaX/HbgjitJVKDHzT6
Nsz94HlDBAEUq4an5U55Sk5ukSUZycBC7xu5ZJmM6n1pwOsYEoDa9Dcmx/96xxji
ECm3HKUgwEnQlB/CcyG7hIVVQG5AsTs1X8LEoJuaJPSMz/5OGnsxOYesvmhoyeMj
An8fDU5uUf8ERNHu560tOttEDTwWKyUuK+vDSG9iI/uwFBr1f4Y=
=xK2O
-----END PGP SIGNATURE-----


More information about the users mailing list