ECP MFA -- 'mfa-authn-config.xml'

Joshua Brodie josbrodie at gmail.com
Tue Feb 11 22:17:15 EST 2020 

I minimize 'mfa-authn-config.xml' to the bare minimum (shown below).

The  'checkSecondFactor' is not  being reached for ECP (works fine for
browser).

The 'duo.properties' appear to be set as expected. Is there another piece I
could have overlooked in my delirious state after an afternoon by the
screen?


<util:map id="shibboleth.authn.MFA.TransitionMap">
        <entry key="">
            <bean parent="shibboleth.authn.MFA.Transition"
p:nextFlow="authn/Password" />
        </entry>

        <entry key="authn/Password">
            <bean parent="shibboleth.authn.MFA.Transition"
p:nextFlowStrategy-ref="checkSecondFactor" />
        </entry>
    </util:map>

    <!-- Example script to see if second factor is required. -->
    <bean id="checkSecondFactor"
parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
        p:customObject-ref="shibboleth.AttributeResolverService">
        <constructor-arg>
            <value>
            <![CDATA[
                logger =
Java.type("org.slf4j.LoggerFactory").getLogger("checkSecondFactor");
                logger.info('++++++++++++ ++++++++++++++++++++++
 ++++++++++++++++');
                logger.info('++++++++++++ profileContext.getProfileId()
 ++++++++++++++++' +profileContext.getProfileId());
                logger.info('++++++++++++  ++++++++++++++++');
                logger.info('++++++++++++ ++++++++++++++++++++++
 ++++++++++++++++');
                nextFlow = "authn/Duo";
                nextFlow;
            ]]>
            </value>
        </constructor-arg>
    </bean>

On Tue, 11 Feb 2020 at 18:11, Cantor, Scott <cantor.2 at osu.edu> wrote:

> > Should "p:nonBrowserSupported="false"" -- be changed to "true" (I've
> > previously tried either -- but I may have messed up elsewhere). I have
> set up
> > duo.properties for the default 'idp.duo.nonbrowser.*' keys.
>
> It has to be true, self-evidently (ECP is not a browser), but it is absent
> (and true) by default on the MFA flow.
>
> It's false for Duo by default because you need to deploy a second
> integration of a different type in Duo to support non-browser AuthAPI use.
>
> -- Scott
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200211/bef0a2cf/attachment.html>

More information about the users mailing list