MFA using metadata to control if its required
Lipscomb, Gary
glipscomb at csu.edu.au
Mon Mar 2 22:02:56 EST 2020
Hi Scott,
It appears to have been an error in the mfa-authn-config.xml [1] file.
This now works using the code below. Only prompts for MFA where the attribute is set in the metadata and the user is staff
Regards
Gary
[1] mfa-authn-config.xml
<![CDATA[
// defaults to not require MFA
nextFlow = null;
logger = Java.type("org.slf4j.LoggerFactory").getLogger("checkSecondFactor");
logger.info('Starting checkSecondFactor');
authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
rpCtx = profileContext.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext");
rpId = rpCtx.getRelyingPartyId();
if (mfaCtx.isAcceptable()) {
logger.info( 'Second factor auth does not need to run for: ' + rpId); // metadata attribute not saying MFA_Required
} else { (rpCtx != null)
logger.info( 'Second factor auth needs to run for ' + rpId );
logger.info("RelyingParty ID: " + rpId);
// Attribute check is required to decide if first factor alone is enough.
resCtx = input.getSubcontext("net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);
// Look up the username
usernameLookupStrategyClass = Java.type("net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy");
usernameLookupStrategy = new usernameLookupStrategyClass();
resCtx.setPrincipal(usernameLookupStrategy.apply(input));
resCtx.setAttributeRecipientID(rpId);
resCtx.getRequestedIdPAttributeNames().add("memberOf");
resCtx.resolveAttributes(custom);
// Check for an attribute that authorizes use of second factor.
attribute = resCtx.getResolvedIdPAttributes().get("memberOf");
valueType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
if (attribute != null
&& ( attribute.getValues().contains(new valueType("cn=STAFF1,ou=Groups")) ||
attribute.getValues().contains(new valueType("cn= cn=STAFF2,ou=Groups ")) ||
attribute.getValues().contains(new valueType("cn= cn=STAFF3,ou=Groups ")) ) ) {
logger.info("Staff user requires DUO");
nextFlow = "authn/Duo";
}
input.removeSubcontext(resCtx); // cleanup
}
nextFlow; // pass control to second factor or end with the first
]]>
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Tuesday, 3 March 2020 09:33
To: Shib Users <users at shibboleth.net>
Subject: Re: MFA using metadata to control if its required
On 3/2/20, 4:28 PM, "users on behalf of Lipscomb, Gary" <users-bounces at shibboleth.net on behalf of glipscomb at csu.edu.au> wrote:
> I have these 2 segments in relyingparty.xml plus other overrides.
Looks ok to me as long as the MDDriven suffix is there. All you have is logs to look at, really, not much else I can say.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list