CAS protocol and auditContext during MDA authn flow
Michael A Grady
mgrady at unicon.net
Sat May 2 17:20:45 EDT 2020
So the following had been working ok in Shib IdPv3.3+ to add a field to the auditContext in the MFA scripting:
auditCtx = input.getSubcontext("net.shibboleth.idp.profile.context.AuditContext");
if (nextFlow == "authn/Duo") {
auditCtx.getFields().put("mfa", "Pwd+Duo");
} else {
auditCtx.getFields().put("mfa", "Pwd_only");
}
That came out of the following email exchange back in 2018:
https://shibboleth.1660669.n2.nabble.com/Audit-log-MFA-and-Duo-td7638573.html
and works fine as long as a SAML flow. But just discovered that if one adds in usage of the CAS protocol, that auditContext does not appear to exist yet, so auditCtx ends up null. That's, of course, easy enough to account for as follows:
auditCtx = input.getSubcontext("net.shibboleth.idp.profile.context.AuditContext");
if (auditCtx != null) {
if (nextFlow == "authn/Duo") {
auditCtx.getFields().put("mfa", "Pwd+Duo");
} else {
auditCtx.getFields().put("mfa", "Pwd_only");
}
}
but then one doesn't get that added field for audit logging for the CAS protocol. And the CAS CASAuditFields code doesn't appear to allow adding any fields. Am I missing anything, or to get something added when for CAS protocol audit lines, you'd have to add something in later in the overall flows?
--
Michael A. Grady
IAM Architect, Unicon, Inc.
More information about the users
mailing list