Forcing MFA for some SPs and not Others

Fri Aug 13 17:35:46 UTC 2021

...but then that breaks my code to have user exceptions in mfa-authn-config.xml. Is there a way to force it by application in relying-party yet still have a user exception?

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: Ullfig, Roberto Alfredo <rullfig at uic.edu>
Sent: Friday, August 13, 2021 12:28 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Forcing MFA for some SPs and not Others

That was it, was too quick to remove the code I had in relying-party.

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Ullfig, Roberto Alfredo <rullfig at uic.edu>
Sent: Friday, August 13, 2021 12:15 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Forcing MFA for some SPs and not Others

I had been using relying-party before but wanted more control so moved everything entirely to mfa-authn-config.xml. I can try with some of the old relying party code again, thanks.

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Brian Moon via users <users at shibboleth.net>
Sent: Friday, August 13, 2021 12:11 PM
To: Shib Users <users at shibboleth.net>
Cc: Brian Moon <bmoon at scu.edu>
Subject: Re: Forcing MFA for some SPs and not Others

Hello Roberto,

Check out this bit of documentation here: https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1474297850/Supporting+the+REFEDS+MFA+Profile<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fspaces%2FKB%2Fpages%2F1474297850%2FSupporting%2Bthe%2BREFEDS%2BMFA%2BProfile&data=04%7C01%7Crullfig%40uic.edu%7C258bf517821b4285086108d95e7df309%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637644717300972742%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kzRqsYVnFdjgtwE%2ByLkXfdxSae77TaUeHPJXf9GQq6c%3D&reserved=0>

Basically what you need to do is ensure that you are directing everything to the MFA flow.  Within the MFA flow, follow the example to check to see if a second factor is needed and then pass on control as needed.

You will also need to ensure that you have the MFA principals defined and then use conf/relying-party.xml to require MFA for certain SPs.

Hope that helps

Brian Moon
Senior System Administrator, Enterprise Systems
Santa Clara University

On Fri, Aug 13, 2021 at 10:02 AM Wessel, Keith <kwessel at illinois.edu<mailto:kwessel at illinois.edu>> wrote:

That’s not true if you hve MFA configured properly. The second MFA should see that the currently satisfied authentication methods isn’t sufficient and should prompt the user for step-up authentication. That is, it’ll skip asking the user for their username and password again but will go straight to the MFA prompt.

Keith

From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> On Behalf Of Ullfig, Roberto Alfredo
Sent: Friday, August 13, 2021 11:56 AM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Forcing MFA for some SPs and not Others

Is there a way for Shibboleth to create different cookies for different SPs? For instance, if I force MFA on an application on the IDP side I can easily get around MFA by logging into another SP that doesn't require MFA first because I've already identified myself.

---

Roberto Ullfig - rullfig at uic.edu<mailto:rullfig at uic.edu>
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago

--
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!MLMg-p0Z!WKibHMkiKehbRt_aA4QztTnM5sRY5yu43iAKRJPn2yGtdRNId64dO-3wEJMV$<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw__%3B!!MLMg-p0Z!WKibHMkiKehbRt_aA4QztTnM5sRY5yu43iAKRJPn2yGtdRNId64dO-3wEJMV%24&data=04%7C01%7Crullfig%40uic.edu%7C258bf517821b4285086108d95e7df309%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637644717300972742%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=LiLk0q5NstfLI39%2FAydfbI1p0C4kNnn3Sde3bweLJds%3D&reserved=0>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210813/a681f731/attachment.htm>