MFA using metadata to control if its required

Lipscomb, Gary glipscomb at csu.edu.au
Mon Mar 2 00:21:08 EST 2020 

Hi list,

I'm trying to get my head around how to configure MFA using DUO using just metadata attributes. I don't get passed to DUO and login fails at the SP. Sites which don't have the metadata attribute work fine.
Can you point me in the right direction.

Idp-process.log

2020-03-02 16:09:14,007 - 10.0.2.2 - DEBUG [net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication:192] - Profile Action TransitionMu
ltiFactorAuthentication: Preserving authentication result from 'authn/Password' flow
2020-03-02 16:09:14,007 - 10.0.2.2 - DEBUG [net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication:209] - Profile Action TransitionMu
ltiFactorAuthentication: Applying MFA transition rule to exit state 'authn/Password'
2020-03-02 16:09:14,181 - 10.0.2.2 - DEBUG [checkSecondFactor:5] - Starting checkSecondFactor
2020-03-02 16:09:14,299 - 10.0.2.2 - DEBUG [checkSecondFactor:10] - mfaCtx is net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext@
123aa3ce
2020-03-02 16:09:14,306 - 10.0.2.2 - DEBUG [net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactoryRegistry:82] - Registry located pred
icate factory of type 'net.shibboleth.idp.authn.principal.impl.ExactPrincipalEvalPredicateFactory' for principal type 'class net.shibboleth.idp.
saml.authn.principal.AuthnContextClassRefPrincipal' and operator 'exact'
2020-03-02 16:09:14,321 - 10.0.2.2 - DEBUG [checkSecondFactor:17] - Second factor auth needs to run


2020-03-02 16:09:14,891 - 10.0.2.2 - DEBUG [net.shibboleth.idp.authn.impl.FinalizeAuthentication:243] - Profile Action FinalizeAuthentication: Checking result for compatibility with operator 'exact' and principal 'https://csu.edu.au/MFA_Required'
2020-03-02 16:09:14,892 - 10.0.2.2 - DEBUG [net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactoryRegistry:82] - Registry located predicate factory of type 'net.shibboleth.idp.authn.principal.impl.ExactPrincipalEvalPredicateFactory' for principal type 'class net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal' and operator 'exact'
2020-03-02 16:09:14,893 - 10.0.2.2 - WARN [net.shibboleth.idp.authn.impl.FinalizeAuthentication:180] - Profile Action FinalizeAuthentication: Authentication result for flow authn/MFA did not satisfy the request
2020-03-02 16:09:14,940 - 10.0.2.2 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: RequestUnsupported


Site metadata

    <mdattr:EntityAttributes>
        <saml:Attribute Name="http://shibboleth.net/ns/profiles/defaultAuthenticationMethods"
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <saml:AttributeValue>https://csu.edu.au/MFA_Required</saml:AttributeValue>
        </saml:Attribute>
        <!-- The disallowedFeatures setting is a bitmask, and 0x1 blocks SPs requesting authentication types. -->
        <saml:Attribute Name="http://shibboleth.net/ns/profiles/disallowedFeatures"
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <saml:AttributeValue>0x1</saml:AttributeValue>
        </saml:Attribute>
    </mdattr:EntityAttributes>


General-authn.xml

        <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:forcedAuthenticationSupported="true" />

        <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
                p:forcedAuthenticationSupported="true"
                p:nonBrowserSupported="false">
            <property name="supportedPrincipals">
                <list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="https://csu.edu.au/MFA_Required" />
                </list>
            </property>
        </bean>

        <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:forcedAuthenticationSupported="true">
            <property name="supportedPrincipals">
                <list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="https://csu.edu.au/MFA_Required" />

                    <!-- <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
                    <bean parent="shibboleth.SAML1AuthenticationMethod"
                        c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> -->

                </list>
            </property>
        </bean>


Mfa-authn-config.xml


      <![CDATA[
        nextFlow = "authn/Duo";


        logger = Java.type("org.slf4j.LoggerFactory").getLogger("checkSecondFactor");
        logger.debug('Starting checkSecondFactor');

        authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
        mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");

        logger.debug('mfaCtx is ' + mfaCtx)

        if (mfaCtx.isAcceptable()) {
            logger.debug( 'Second factor auth does not need to run' );  // metadata not saying MFA_Required

        } else {

            logger.debug( 'Second factor auth needs to run' );
            nextFlow  = "authn/Duo" ;
          // Attribute check is required to decide if first factor alone is enough.

              nextFlow ;

          input.removeSubcontext(resCtx);   // cleanup
        }

        nextFlow = null ;
      ]]>


Gary Lipscomb
Technical Officer, Systems(Infrastructure) | Infrastructure & Client Services | Division of Information Technology
Charles Sturt University
Panorama Avenue
Bathurst NSW 2795
Tel: +61 2 6338 6533
Email: glipscomb at csu.edu.au |www.csu.edu.au




|   ALBURY-WODONGA   |   BATHURST   |   BRISBANE   |   CANBERRA   |   DUBBO   |   GOULBURN   |   MELBOURNE   |   ORANGE   |   PORT MACQUARIE   |   SYDNEY   |   WAGGA WAGGA   |

LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with Charles Sturt University may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at Charles Sturt University. The views expressed in this email are not necessarily those of Charles Sturt University.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider Number: PV12018
Consider the environment before printing this email.

More information about the users mailing list