MFA using metadata to control if its required

Lipscomb, Gary glipscomb at csu.edu.au
Mon Mar 2 22:02:56 EST 2020 

Hi Scott,

It appears to have been an error in the mfa-authn-config.xml [1] file.
This now works using the code below.  Only prompts for MFA where the  attribute is set in the metadata and the user is staff

Regards
Gary

[1] mfa-authn-config.xml

      <![CDATA[
        // defaults to not require MFA
        nextFlow = null;

        logger = Java.type("org.slf4j.LoggerFactory").getLogger("checkSecondFactor");
        logger.info('Starting checkSecondFactor');

        authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
        mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
        rpCtx = profileContext.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext");
        rpId = rpCtx.getRelyingPartyId();

        if (mfaCtx.isAcceptable()) {
            logger.info( 'Second factor auth does not need to run for: ' + rpId);  // metadata attribute not saying MFA_Required
        } else { (rpCtx != null)
              logger.info( 'Second factor auth needs to run for ' + rpId );
              logger.info("RelyingParty ID: " + rpId);
              // Attribute check is required to decide if first factor alone is enough.
              resCtx = input.getSubcontext("net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);
              // Look up the username
              usernameLookupStrategyClass = Java.type("net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy");
              usernameLookupStrategy = new usernameLookupStrategyClass();
              resCtx.setPrincipal(usernameLookupStrategy.apply(input));

              resCtx.setAttributeRecipientID(rpId);
              resCtx.getRequestedIdPAttributeNames().add("memberOf");
              resCtx.resolveAttributes(custom);

              // Check for an attribute that authorizes use of second factor.
              attribute = resCtx.getResolvedIdPAttributes().get("memberOf");
              valueType =  Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
          if (attribute != null
              &&  ( attribute.getValues().contains(new valueType("cn=STAFF1,ou=Groups")) ||
                  attribute.getValues().contains(new valueType("cn= cn=STAFF2,ou=Groups ")) ||
                  attribute.getValues().contains(new valueType("cn= cn=STAFF3,ou=Groups ")) ) ) {
              logger.info("Staff user requires DUO");
              nextFlow = "authn/Duo";
          }

          input.removeSubcontext(resCtx);   // cleanup

      }

  nextFlow;   // pass control to second factor or end with the first
]]>

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Tuesday, 3 March 2020 09:33
To: Shib Users <users at shibboleth.net>
Subject: Re: MFA using metadata to control if its required

On 3/2/20, 4:28 PM, "users on behalf of Lipscomb, Gary" <users-bounces at shibboleth.net on behalf of glipscomb at csu.edu.au> wrote:

> I have these 2 segments in relyingparty.xml plus other overrides. 

Looks ok to me as long as the MDDriven suffix is there. All you have is logs to look at, really, not much else I can say.

-- Scott


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list