SP Requiring/Requesting MFA (was Re: Customizing Second Factor Configuration in mfa-authn-config.xml)

Cantor, Scott cantor.2 at osu.edu
Mon Apr 26 17:47:23 UTC 2021


On 4/26/21, 1:24 PM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at shibboleth.net on behalf of rullfig at uic.edu> wrote:

>    OK then, to NOT do this globally, I define the supported authn in relying-party.xml under
> DefaultRelyingParty? Here are some of the important bits:

The DefaultRelyingParty settings are global, overrides are non-global, as are metadata-driven settings when that's done in place of putting them in the central file.

>    idp.authn.flows= RemoteUser|MFA

As the documentation notes, MFA generally stands alone. If it's enabled, nothing else generally is, or at least nothing that it directly controls/directs the use of. I doubt very seriously you want both enabled, and that will do very surprising things at times, if not outright broken ones.

>                <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/RemoteUser" />

i.e there is no way you should have RemoteUser enabled, because you do not want the IdP running it by itself; the MFA logic already runs it when required.

>    I still have the same issue with the SP requesting mfa (the one I earlier posted the authn request) as it is here
> - in this case mfa is done. When I try to force it to Password with SAML2.SSO.FEATURE_AUTHNCONTEXT I get:

You didn't indicate what the issue was originally, but no, you can't do that globally without issues. If you try and globally block requests like that, you're going to break stuff.

If you explicitly enable MFA for some SP using the IdP to do it, then by definition you know it shouldn't be requesting anything and it's safe to block the feature for that SP. Globally? No, that doesn't work.

You can, at best, audit everything over time, find all the systems that are requesting something and either get them to stop or create an override that's inverted (every SP *but* the outliers).

Until that point, enabling MFA would have to be a per-SP setting, or handled more effectively, a metadata-driven setting using a tag attached to the metadata. Or literally two metadata-driven settings to actually control the defaultAuthenticationMethods and disallowedFeatures settings from metadata, which is what I do personally.

-- Scott




More information about the users mailing list