Forcing MFA for some SPs and not Others
Ullfig, Roberto Alfredo
rullfig at uic.edu
Fri Aug 13 17:13:06 UTC 2021
Hmm, I have this - every other test works fine:
<util:map id="shibboleth.authn.MFA.TransitionMap">
<entry key="">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/RemoteUser" />
</entry>
<entry key="authn/RemoteUser">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />
</entry>
<!-- An implicit final rule will return whatever the final flow returns. -->
</util:map>
<bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
p:customObject-ref="shibboleth.AttributeResolverService">
<constructor-arg>
<value>
<![CDATA[
// Setup some environment for later
resCtx = input.getSubcontext("net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);
usernameLookupStrategyClass = Java.type("net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy");
usernameLookupStrategy = new usernameLookupStrategyClass();
resCtx.setPrincipal(usernameLookupStrategy.apply(input));
stringType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
// Fetch Duo attributes
resCtx.getRequestedIdPAttributeNames().add("eduPersonEntitlement");
resCtx.resolveAttributes(custom);
epe = resCtx.getResolvedIdPAttributes().get("eduPersonEntitlement");
// Get SP Entity ID
rpid = profileContext.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext").getRelyingPartyId();
// Force MFA for SP Entity ID
if( rpid != null )
{
switch( rpid )
{
case "box.net":
nextFlow = "authn/Duo"; break;
case "https://ca1.qualtrics.com":
nextFlow = "authn/Duo"; break;
case "https://jostle.us":
nextFlow = "authn/Duo"; break;
default:
if( mfaCtx.isAcceptable() )
{
nextFlow = null
}
else
{
nextFlow = "authn/Duo"
}
break;
}
}
// Entitlement group excepted from Duo
if( epe != null && epe.getValues().contains(new stringType("https://shibboleth.uic.edu/entitlement/shibexemptfromduo")) )
{
if( mfaCtx.isAcceptable() )
{
nextFlow = null;
}
}
input.removeSubcontext(resCtx); // cleanup
nextFlow; // pass control to second factor or end with the first
]]>
</value>
</constructor-arg>
</bean>
---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Wessel, Keith <kwessel at illinois.edu>
Sent: Friday, August 13, 2021 12:02 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: Forcing MFA for some SPs and not Others
That’s not true if you hve MFA configured properly. The second MFA should see that the currently satisfied authentication methods isn’t sufficient and should prompt the user for step-up authentication. That is, it’ll skip asking the user for their username and password again but will go straight to the MFA prompt.
Keith
From: users <users-bounces at shibboleth.net> On Behalf Of Ullfig, Roberto Alfredo
Sent: Friday, August 13, 2021 11:56 AM
To: Shib Users <users at shibboleth.net>
Subject: Forcing MFA for some SPs and not Others
Is there a way for Shibboleth to create different cookies for different SPs? For instance, if I force MFA on an application on the IDP side I can easily get around MFA by logging into another SP that doesn't require MFA first because I've already identified myself.
---
Roberto Ullfig - rullfig at uic.edu<mailto:rullfig at uic.edu>
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210813/ac5df9f7/attachment.htm>
More information about the users
mailing list