Forcing MFA for some SPs and not Others

Fri Aug 13 17:41:07 UTC 2021

So that user exception code should be as follows:
// Entitlement group excepted from Duo
if( epe != null && epe.getValues().contains(new stringType("
https://shibboleth.uic.edu/entitlement/shibexemptfromduo")) )
{
    nextFlow = null;
}

By having if( mfaCtx.isAcceptable() ) in there, you are still deferring to
what the SP wants rather than overriding it.

Cheers!

Brian Moon
Senior System Administrator, Enterprise Systems
Santa Clara University

On Fri, Aug 13, 2021 at 10:35 AM Ullfig, Roberto Alfredo <rullfig at uic.edu>
wrote:

> ...but then that breaks my code to have user exceptions
> in mfa-authn-config.xml. Is there a way to force it by application in
> relying-party yet still have a user exception?
>
> ---
> Roberto Ullfig - rullfig at uic.edu
> Systems Administrator
> Enterprise Applications & Services | Technology Solutions
> University of Illinois - Chicago
> ------------------------------
> *From:* Ullfig, Roberto Alfredo <rullfig at uic.edu>
> *Sent:* Friday, August 13, 2021 12:28 PM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* Re: Forcing MFA for some SPs and not Others
>
> That was it, was too quick to remove the code I had in relying-party.
>
> ---
> Roberto Ullfig - rullfig at uic.edu
> Systems Administrator
> Enterprise Applications & Services | Technology Solutions
> University of Illinois - Chicago
> ------------------------------
> *From:* users <users-bounces at shibboleth.net> on behalf of Ullfig, Roberto
> Alfredo <rullfig at uic.edu>
> *Sent:* Friday, August 13, 2021 12:15 PM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* Re: Forcing MFA for some SPs and not Others
>
> I had been using relying-party before but wanted more control so moved
> everything entirely to mfa-authn-config.xml. I can try with some of the old
> relying party code again, thanks.
>
> ---
> Roberto Ullfig - rullfig at uic.edu
> Systems Administrator
> Enterprise Applications & Services | Technology Solutions
> University of Illinois - Chicago
> ------------------------------
> *From:* users <users-bounces at shibboleth.net> on behalf of Brian Moon via
> users <users at shibboleth.net>
> *Sent:* Friday, August 13, 2021 12:11 PM
> *To:* Shib Users <users at shibboleth.net>
> *Cc:* Brian Moon <bmoon at scu.edu>
> *Subject:* Re: Forcing MFA for some SPs and not Others
>
> Hello Roberto,
>
> Check out this bit of documentation here:
> https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1474297850/Supporting+the+REFEDS+MFA+Profile
> <https://urldefense.com/v3/__https://nam04.safelinks.protection.outlook.com/?url=https*3A*2F*2Fshibboleth.atlassian.net*2Fwiki*2Fspaces*2FKB*2Fpages*2F1474297850*2FSupporting*2Bthe*2BREFEDS*2BMFA*2BProfile&data=04*7C01*7Crullfig*40uic.edu*7C258bf517821b4285086108d95e7df309*7Ce202cd477a564baa99e3e3b71a7c77dd*7C0*7C0*7C637644717300972742*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000&sdata=kzRqsYVnFdjgtwE*2ByLkXfdxSae77TaUeHPJXf9GQq6c*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!MLMg-p0Z!U8iVwiYgYuzIXyJ-bCxnu9wCEbVsa5F5PFNbLHjXA6zbu58K5u8_ZQKaAAn8$>
>
> Basically what you need to do is ensure that you are directing everything
> to the MFA flow.  Within the MFA flow, follow the example to check to see
> if a second factor is needed and then pass on control as needed.
>
> You will also need to ensure that you have the MFA principals defined and
> then use conf/relying-party.xml to require MFA for certain SPs.
>
> Hope that helps
>
> Brian Moon
> Senior System Administrator, Enterprise Systems
> Santa Clara University
>
>
> On Fri, Aug 13, 2021 at 10:02 AM Wessel, Keith <kwessel at illinois.edu>
> wrote:
>
> That’s not true if you hve MFA configured properly. The second MFA should
> see that the currently satisfied authentication methods isn’t sufficient
> and should prompt the user for step-up authentication. That is, it’ll skip
> asking the user for their username and password again but will go straight
> to the MFA prompt.
>
>
>
> Keith
>
>
>
>
>
> *From:* users <users-bounces at shibboleth.net> *On Behalf Of *Ullfig,
> Roberto Alfredo
> *Sent:* Friday, August 13, 2021 11:56 AM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* Forcing MFA for some SPs and not Others
>
>
>
> Is there a way for Shibboleth to create different cookies for different
> SPs? For instance, if I force MFA on an application on the IDP side I can
> easily get around MFA by logging into another SP that doesn't require MFA
> first because I've already identified myself.
>
>
>
> ---
>
> Roberto Ullfig - rullfig at uic.edu
> Systems Administrator
> Enterprise Applications & Services | Technology Solutions
> University of Illinois - Chicago
> --
> For Consortium Member technical support, see
> https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!MLMg-p0Z!WKibHMkiKehbRt_aA4QztTnM5sRY5yu43iAKRJPn2yGtdRNId64dO-3wEJMV$
> <https://urldefense.com/v3/__https://nam04.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2F*2Fshibboleth.atlassian.net*2Fwiki*2Fx*2FZYEpPw__*3B!!MLMg-p0Z!WKibHMkiKehbRt_aA4QztTnM5sRY5yu43iAKRJPn2yGtdRNId64dO-3wEJMV*24&data=04*7C01*7Crullfig*40uic.edu*7C258bf517821b4285086108d95e7df309*7Ce202cd477a564baa99e3e3b71a7c77dd*7C0*7C0*7C637644717300972742*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000&sdata=LiLk0q5NstfLI39*2FAydfbI1p0C4kNnn3Sde3bweLJds*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!MLMg-p0Z!U8iVwiYgYuzIXyJ-bCxnu9wCEbVsa5F5PFNbLHjXA6zbu58K5u8_ZWFLifAW$>
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> --
> For Consortium Member technical support, see
> https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!MLMg-p0Z!U8iVwiYgYuzIXyJ-bCxnu9wCEbVsa5F5PFNbLHjXA6zbu58K5u8_ZWi4nnHM$
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210813/2bf81c27/attachment.htm>