Forcing the timeout of 2nd factor in a MFA login
Julian Williams
julian.williams at it.ox.ac.uk
Mon Feb 10 09:53:56 EST 2020
Dear Shibboleth users,
We are testing a new MFA flow with IdP 3.4 which uses the standard
Password flow as the first factor and an custom flow that checks an OTP
as the second factor. This is used by only one application here and that
uses a Shibboleth Service Provider which we have control over. The MFA
flow is chosen when the SP requests a authnContextClassRef of
"urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken".
Is there any way of reducing the session lifetime of the second factor
to 15min whilst keeping the default/Password lifetime to 10hours?
Ideally what we'd like is for the application to request a new
authentication after 15min of inactivity and we want users to just be
prompted for the 2nd factor and not their password again.
I've experimented with changing various things but at the moment I can
either trigger the whole MFA flow to rerun, including asking for the
password, or not at all.
These are the pertinent config setting I think...
#### conf/idp.properties ####
idp.session.timeout = PT10H
idp.authn.flows= MFA
idp.authn.defaultLifetime = PT10H
idp.authn.defaultTimeout = PT10H
#### conf/authn/general-authn.xml ####
...
<bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true"
p:lifetime="PT15M">
...
<bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true" />
...
<bean id="authn/AVWebFlow" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false"
p:forcedAuthenticationSupported="true"
p:lifetime="PT15M">
...
#### conf/authn/mfa-authn-config.xml ####
<util:map id="shibboleth.authn.MFA.TransitionMap">
<!-- First rule runs the Password login flow. -->
<entry key="">
<bean parent="shibboleth.authn.MFA.Transition"
p:nextFlow="authn/Password" />
</entry>
<entry key="authn/Password">
<bean parent="shibboleth.authn.MFA.Transition"
p:nextFlowStrategy-ref="checkSecondFactor" />
</entry>
<!-- An implicit final rule will return whatever the final flow
returns. -->
</util:map>
<!-- Example script to see if second factor is required. -->
<bean id="checkSecondFactor"
parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
p:customObject-ref="shibboleth.AttributeResolverService">
<constructor-arg>
<value>
<![CDATA[
nextFlow = "authn/AVWebFlow";
authCtx =
input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
mfaCtx =
authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
if (mfaCtx.isAcceptable()) {
nextFlow = null;
}
nextFlow; // pass control to second factor or end
with the first
]]>
</value>
</constructor-arg>
</bean>
If I just set the p:lifetime="PT15M" on the bean for the 2nd factor flow
(authn/AVWebFlow) the IdP appears to ignore it and carrying on issuing
assertions after the 15min has elapsed. If I also set this lifetime on
the MFA bean (authn/MFA) then the lifetime is honored but then I get
prompts for both factors which isn't what I'd like.
I've also tried using a maxTimeSinceAuthn setting on the SP but all that
does is make the SP throw an error and doesn't force a re-authentication
which is what we were hoping for.
We could also set forceAuthn="true" on the SP side but I'm assuming that
that will trigger the complete MFA flow to run i.e. both factors.
Any advice much appreciated.
Cheers,
Julian
More information about the users
mailing list