MFA using metadata to control if its required

Lipscomb, Gary glipscomb at
Mon Mar 2 22:02:56 EST 2020

Hi Scott,

It appears to have been an error in the mfa-authn-config.xml [1] file.
This now works using the code below.  Only prompts for MFA where the  attribute is set in the metadata and the user is staff


[1] mfa-authn-config.xml

        // defaults to not require MFA
        nextFlow = null;

        logger = Java.type("org.slf4j.LoggerFactory").getLogger("checkSecondFactor");'Starting checkSecondFactor');

        authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
        mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
        rpCtx = profileContext.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext");
        rpId = rpCtx.getRelyingPartyId();

        if (mfaCtx.isAcceptable()) {
   'Second factor auth does not need to run for: ' + rpId);  // metadata attribute not saying MFA_Required
        } else { (rpCtx != null)
     'Second factor auth needs to run for ' + rpId );
    "RelyingParty ID: " + rpId);
              // Attribute check is required to decide if first factor alone is enough.
              resCtx = input.getSubcontext("net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);
              // Look up the username
              usernameLookupStrategyClass = Java.type("net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy");
              usernameLookupStrategy = new usernameLookupStrategyClass();


              // Check for an attribute that authorizes use of second factor.
              attribute = resCtx.getResolvedIdPAttributes().get("memberOf");
              valueType =  Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
          if (attribute != null
              &&  ( attribute.getValues().contains(new valueType("cn=STAFF1,ou=Groups")) ||
                  attribute.getValues().contains(new valueType("cn= cn=STAFF2,ou=Groups ")) ||
                  attribute.getValues().contains(new valueType("cn= cn=STAFF3,ou=Groups ")) ) ) {
    "Staff user requires DUO");
              nextFlow = "authn/Duo";

          input.removeSubcontext(resCtx);   // cleanup


  nextFlow;   // pass control to second factor or end with the first

-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Tuesday, 3 March 2020 09:33
To: Shib Users <users at>
Subject: Re: MFA using metadata to control if its required

On 3/2/20, 4:28 PM, "users on behalf of Lipscomb, Gary" <users-bounces at on behalf of glipscomb at> wrote:

> I have these 2 segments in relyingparty.xml plus other overrides. 

Looks ok to me as long as the MDDriven suffix is there. All you have is logs to look at, really, not much else I can say.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list