ECP MFA -- 'mfa-authn-config.xml'

Joshua Brodie josbrodie at gmail.com
Tue Feb 11 19:18:55 EST 2020


Thank you. Appreciate the guidance.

I reverted 'general-authn.xml' back to the original file from a  '3.4.6'
download (full file below) -- still not getting '
http://shibboleth.ent/ns/profiles/saml2/sso/ecp' for ECP in the logging
output for 'checkSecondFactor' in 'mfa-authn-config.xml'.

Should "p:nonBrowserSupported="false"" -- be changed to "true" (I've
previously tried either -- but I may have messed up elsewhere). I have set
up duo.properties for the default 'idp.duo.nonbrowser.*' keys.

All hunky-dory with 'http://shibboleth.net/ns/profiles/saml2/sso/browser'.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd"

       default-init-method="initialize"
       default-destroy-method="destroy">

    <!--
    This file provisions the IdP with information about the configured
login mechanisms available for use.
    The actual beans and subflows that make up those mechanisms are in
their own files, but this pulls them
    together with deployer-supplied metadata to describe them to the system.

    You can turn on and off individual mechanisms by adding and remove them
here. Nothing left out will
    be used, regardless any other files loaded by the Spring container.

    Flow defaults include: no support for IsPassive/ForceAuthn, support for
non-browser clients enabled,
    and default timeout and lifetime values set via properties. We also
default to supporting the SAML 1/2
    expressions for password-based authentication over a secure channel, so
anything more exotic requires
    customization, as the examples below for IP address and SPNEGO
authentication illustrate.
    -->

    <util:list id="shibboleth.AvailableAuthenticationFlows">

        <bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:lifetime="PT60S" p:inactivityTimeout="PT60S">
            <property name="supportedPrincipals">
                <list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"

c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
                </list>
            </property>
        </bean>

        <bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow"
                p:nonBrowserSupported="false">
            <property name="supportedPrincipals">
                <list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"

c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" />
                    <bean parent="shibboleth.SAML1AuthenticationMethod"
                        c:method="urn:ietf:rfc:1510" />
                </list>
            </property>
        </bean>

        <bean id="authn/External" parent="shibboleth.AuthenticationFlow"
            p:nonBrowserSupported="false" />

        <bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow"
            p:nonBrowserSupported="false" />

        <bean id="authn/RemoteUserInternal"
parent="shibboleth.AuthenticationFlow" />

        <bean id="authn/Function" parent="shibboleth.AuthenticationFlow" />

        <bean id="authn/X509" parent="shibboleth.AuthenticationFlow"
                p:nonBrowserSupported="false">
            <property name="supportedPrincipals">
                <list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"

c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"

c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
                    <bean parent="shibboleth.SAML1AuthenticationMethod"
                        c:method="urn:ietf:rfc:2246" />
                </list>
            </property>
        </bean>

        <bean id="authn/X509Internal"
parent="shibboleth.AuthenticationFlow">
            <property name="supportedPrincipals">
                <list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"

c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"

c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
                    <bean parent="shibboleth.SAML1AuthenticationMethod"
                        c:method="urn:ietf:rfc:2246" />
                </list>
            </property>
        </bean>

        <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:forcedAuthenticationSupported="true" />

        <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
                p:forcedAuthenticationSupported="true"
                p:nonBrowserSupported="false">
            <!--
            The list below should be changed to reflect whatever locally- or
            community-defined values are appropriate to represent MFA. It is
            strongly advised that the value not be specific to Duo or any
            particular technology.
            -->
            <property name="supportedPrincipals">
                <list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="http://example.org/ac/classes/mfa" />
                    <bean parent="shibboleth.SAML1AuthenticationMethod"
                        c:method="http://example.org/ac/classes/mfa" />
                </list>
            </property>
        </bean>

        <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:forcedAuthenticationSupported="true">
            <!--
            The list below almost certainly requires changes, and should
generally be the
            union of any of the separate factors you combine in your
particular MFA flow
            rules. The example corresponds to the example in
mfa-authn-config.xml that
            combines IPAddress with Password.
            -->
            <property name="supportedPrincipals">
                <list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"

c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"

c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
/>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"

c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
                    <bean parent="shibboleth.SAML1AuthenticationMethod"
                        c:method="urn:oasis:names:tc:SAML:1.0:am:password"
/>
                </list>
            </property>
        </bean>

    </util:list>

    <!--
    This is a map used to "weight" particular methods above others if the
IdP has to randomly select one
    to insert into a SAML authentication statement. The typical use shown
below is to bias the IdP in favor
    of expressing the SAML 2 PasswordProtectedTransport class over the more
vanilla Password class on the
    assumption that the IdP doesn't accept passwords via an insecure
channel. This map never causes the IdP
    to violate its matching rules if an RP requests a particular value; it
only matters when nothing specific
    is chosen. Anything not in the map has a weight of zero.
    -->

    <util:map id="shibboleth.AuthenticationPrincipalWeightMap">
        <entry>
            <key>
                <bean parent="shibboleth.SAML2AuthnContextClassRef"

c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
/>
            </key>
            <value>1</value>
        </entry>
    </util:map>

</beans>

On Tue, 11 Feb 2020 at 15:51, Cantor, Scott <cantor.2 at osu.edu> wrote:

> >    What could be something missed we could look at?
>
> Perhaps you didn't configure the MFA method or one of the underlying
> factors as supporting non-browser access in general-authn.xml, but it
> defaults to supporting it so that would require a deliberate change. You
> have to break it to stop it from working, more or less.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200211/a46c7ad8/attachment.html>


More information about the users mailing list