MFA using metadata

Lipscomb, Gary glipscomb at csu.edu.au
Sun Mar 8 18:49:57 EDT 2020


Hi list,

I’ve managed to get MFA/Duo working by adding the following into the SP’s metadata

    <!-- <mdattr:EntityAttributes> -->
       <!-- <saml:Attribute Name="http://shibboleth.net/ns/profiles/defaultAuthenticationMethods"
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <saml:AttributeValue>https://csu.edu.au/MFA_Required</saml:AttributeValue>
        </saml:Attribute> -->
        <!-- The disallowedFeatures setting is a bitmask, and 0x1 blocks SPs requesting authentication types. -->
        <!-- <saml:Attribute Name="http://shibboleth.net/ns/profiles/disallowedFeatures"
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <saml:AttributeValue>0x1</saml:AttributeValue>
        </saml:Attribute> -->
    <!-- </mdattr:EntityAttributes> -->


Our mfa-authn-config.xml contains

   <util:map id="shibboleth.authn.MFA.TransitionMap">
  <!-- First rule runs the Password login flow. -->
    <entry key="">
      <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" />
    </entry>

  <!-- Second rule runs a function to determine whether an additional factor is required. -->
   <entry key="authn/Password">
     <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />
   </entry>

   <!-- An implicit final rule will return whatever the final flow returns. -->
</util:map>


When the flow transitions from authn/Password to checkSecondFactor mfaCtx.isAcceptable() returns false for all users when accessing this SP.
If the user access another SP where this attribute doesn't exist in the metadata mfaCtx.isAcceptable() returns true for all users when transitioning from the authn/Password flow.

With this SP we want to apply the secondFactor “DUO”  to only “Staff” not “Students”.
If I test to see if the user is  “Staff”  I then set nextFlow to “authn/Duo”, the user completes Duo process and gains access to the SP.

If the user is a “Student”  mfaCtx.isAcceptable() remains set to “false” and access to the SP is denied and an error is generated by the SP.

Is there a way to be selective if you use the above metadata settings, or should I be using another metadata attribute to control access. Our preferred option is to use metadata to control whether MFA is required.

Or is there a way to programmatically set mfaCtx.isAcceptable() “true” for  “Students” in the mfa-authn-config.xml flow.

Regards

Gary

Gary Lipscomb
Technical Officer, Systems(Infrastructure) | Infrastructure & Client Services | Division of Information Technology
Charles Sturt University
Email: glipscomb at csu.edu.au |www.csu.edu.au





|   ALBURY-WODONGA   |   BATHURST   |   BRISBANE   |   CANBERRA   |   DUBBO   |   GOULBURN   |   MELBOURNE   |   ORANGE   |   PORT MACQUARIE   |   SYDNEY   |   WAGGA WAGGA   |

LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with Charles Sturt University may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at Charles Sturt University. The views expressed in this email are not necessarily those of Charles Sturt University.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider Number: PV12018
Consider the environment before printing this email.


More information about the users mailing list