MFA Resources
Mak, Steve
makst at upenn.edu
Tue Jul 28 18:16:14 UTC 2020
This list has warned in the past and I will warn you as well.
idp.authn.flows= MFA|Duo|Password
This line is enabling a possible MFA bypass in your IdP.
My IdP only has idp.authn.flows=MFA
You "enable" subflows for MFA by adding the flows to the conf/authn/general-authn.xml file. You should NOT enable the sub-flows by themselves in idp.properties.
From: users <users-bounces at shibboleth.net> on behalf of Jeremiah Garmatter <j-garmatter at onu.edu>
Reply-To: Shib Users <users at shibboleth.net>
Date: Tuesday, July 28, 2020 at 14:10
To: Shib Users <users at shibboleth.net>
Subject: Re: MFA Resources
Thank you Scott,
Another member approached me with this documentation: https://mimoto.co.uk/shibboleth-idp/duo/mfa/2017/06/01/duo-mfa-in-shibboleth-idp.html
I had to modify it slightly to fit my configuration but we got it sorted out after all.
Thank you for your help with this. Have a good day!
-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-Work: 419-772-1074 Cell: 419-672-8685
-j-garmatter at onu.edu<mailto:j-garmatter at onu.edu>
On Tue, Jul 28, 2020 at 1:59 PM Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:
On 7/27/20, 8:49 PM, "users on behalf of Jeremiah Garmatter" <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> on behalf of j-garmatter at onu.edu<mailto:j-garmatter at onu.edu>> wrote:
> I thought I could use Stanford Universities MFA context
That's between you and Stanford, but there's basically one standard in academia, or you define your own. I use a URI I defined for my use on campus.
The REFEDS value is defined in https://refeds.org/profile/mfa and may be fine if the deployment meets its minimal requirements. OSU's deployment right now does not meet it, therefore I couldn't use it, and had to invent one.
> I will reiterate that I have little experience with Java and xml and no experience with the Spring WebFlow.
Should I be configuring some sort of script within the mfa-authn-config.xml script? Prior to this upgrade we were running shibboleth 3.1.2, which didn't even support multifactor from what I understand, so I'm not sure how mfa factors in to this whole situation. We only needed username and password authentication at that time. This single-factor authentication still works after the upgrade to shibboleth 4.0. Am I supposed to configure MFA to override the single factor username to allow for multiple forms of authentication? I have no Idea how this works and while reading the shibboleth documentation I find myself more confused than when I started.
How does the ProfileConfiguration-Authentication link provided in the last email fit in with the relying-party.xml configuration I have in (2)? If I try to define the default auth method for a specific service provider, I was able to sign in to the service with only my username and password (no Duo enrollment or prompt) or I was met with another generic "relying-party.xml misconfiguration" error.
All I want is to sign in to one particular service provider with username and password, then be prompted to authenticate through Duo, and be brought back to my service if all goes well. I apologize for being so brash, but I don't have the time to become a spring developer and those who set this system up have left my place of business, taking their experience with them.
As usual, help is appreciated, but if what I ask is beyond the scope of this email list please refer me to another group.
(1.)general-authn.xml:
<bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
p:forcedAuthenticationSupported="true"
p:nonBrowserSupported="false">
<!--
The list below should be changed to reflect whatever locally- or
community-defined values are appropriate to represent MFA. It is
strongly advised that the value not be specific to Duo or any
particular technology.
-->
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="http://example.org/ac/classes/mfa <https://urldefense.com/v3/__http://example.org/ac/classes/mfa__;!!KGKeukY!jJYu4V_FTk37XDWoxTzFIWPu1MBZ6O4d-MSI3hyqAhTfrDDFlBVFXk7MILMfBD0$<https://urldefense.com/v3/__http:/example.org/ac/classes/mfa__;!!KGKeukY!jJYu4V_FTk37XDWoxTzFIWPu1MBZ6O4d-MSI3hyqAhTfrDDFlBVFXk7MILMfBD0$>>" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="http://example.org/ac/classes/mfa <https://urldefense.com/v3/__http://example.org/ac/classes/mfa__;!!KGKeukY!jJYu4V_FTk37XDWoxTzFIWPu1MBZ6O4d-MSI3hyqAhTfrDDFlBVFXk7MILMfBD0$<https://urldefense.com/v3/__http:/example.org/ac/classes/mfa__;!!KGKeukY!jJYu4V_FTk37XDWoxTzFIWPu1MBZ6O4d-MSI3hyqAhTfrDDFlBVFXk7MILMfBD0$>>" />
</list>
</property>
</bean>
<bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true">
<!--
The list below almost certainly requires changes, and should generally be the
union of any of the separate factors you combine in your particular MFA flow
rules. The example corresponds to the example in mfa-authn-config.xml that
combines IPAddress with Password.
-->
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</list>
</property>
</bean>
(2.) relying-party.xml:
<!--
Default configuration, with default settings applied for all profiles, and enables
the attribute-release consent flow.
-->
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<bean parent="Shibboleth.SSO" />
<ref bean="SAML1.AttributeQuery" />
<ref bean="SAML1.ArtifactResolution" />
<bean parent="SAML2.SSO" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<ref bean="SAML2.AttributeQuery" />
<ref bean="SAML2.ArtifactResolution" />
</list>
</property>
</bean>
<bean parent="RelyingPartyByName" c:relyingPartyIds="SP's Entity-ID">
<property name="profileConfigurations">
<list>
<bean parent="Shibboleth.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
<bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
</list>
</property>
</bean>
-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-j-garmatter at onu.edu<mailto:j-garmatter at onu.edu>
On Mon, Jul 27, 2020 at 4:09 PM Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:
On 7/27/20, 3:43 PM, "users on behalf of Jeremiah Garmatter" <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> on behalf of j-garmatter at onu.edu<mailto:j-garmatter at onu.edu>> wrote:
>I'm still confused about the services though. I looked into the relying-parties.xml and found that my predecessors
> included some profile configurations for most of the services. An example of one is included:
The SAML2.SSO bean has a lot of other settings. One of them is defaultAuthenticationMethods. All the profiles that involve a user logging in have that property.
https://wiki.shibboleth.net/confluence/display/IDP4/ProfileConfiguration-Authentication <https://urldefense.com/v3/__https://wiki.shibboleth.net/confluence/display/IDP4/ProfileConfiguration-Authentication__;!!KGKeukY!jJYu4V_FTk37XDWoxTzFIWPu1MBZ6O4d-MSI3hyqAhTfrDDFlBVFXk7MbE-GC_0$<https://urldefense.com/v3/__https:/wiki.shibboleth.net/confluence/display/IDP4/ProfileConfiguration-Authentication__;!!KGKeukY!jJYu4V_FTk37XDWoxTzFIWPu1MBZ6O4d-MSI3hyqAhTfrDDFlBVFXk7MbE-GC_0$>>
Second example is what you're asking about.
> Would I simply have to create a new bean with the parent=shibboleth.SAML2AuthnContextClassRef passing in a class
> reference to my mfa method within the profileConfigurations property?
Sort of, but the example includes the right syntax (or one syntax among a dozen that are equivalent in Spring).
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg <https://urldefense.com/v3/__https://wiki.shibboleth.net/confluence/x/coFAAg__;!!KGKeukY!jJYu4V_FTk37XDWoxTzFIWPu1MBZ6O4d-MSI3hyqAhTfrDDFlBVFXk7MOxZvuuA$<https://urldefense.com/v3/__https:/wiki.shibboleth.net/confluence/x/coFAAg__;!!KGKeukY!jJYu4V_FTk37XDWoxTzFIWPu1MBZ6O4d-MSI3hyqAhTfrDDFlBVFXk7MOxZvuuA$>>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200728/a36db7ea/attachment.htm>
More information about the users
mailing list