Forcing MFA for some SPs and not Others
Ullfig, Roberto Alfredo
rullfig at uic.edu
Fri Aug 13 17:48:57 UTC 2021
I thought that would be it but it isn't, the SP rejects the identity now. relying party looks like this.
<!-- Force MFA here for relying parties THAT DON'T HAVE OTHER BEANS DEFINED IN THIS FILE -->
<bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'https://jostle.us','box.net'}}">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO"
p:disallowedFeatures-ref="SAML2.SSO.FEATURE_AUTHNCONTEXT">
<property name="defaultAuthenticationMethods">
<list>
<ref bean="MFASAML2Principal" />
</list>
</property>
</bean>
</list>
</property>
</bean>
---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Brian Moon via users <users at shibboleth.net>
Sent: Friday, August 13, 2021 12:41 PM
To: Shib Users <users at shibboleth.net>
Cc: Brian Moon <bmoon at scu.edu>
Subject: Re: Forcing MFA for some SPs and not Others
So that user exception code should be as follows:
// Entitlement group excepted from Duo
if( epe != null && epe.getValues().contains(new stringType("https://shibboleth.uic.edu/entitlement/shibexemptfromduo")) )
{
nextFlow = null;
}
By having if( mfaCtx.isAcceptable() ) in there, you are still deferring to what the SP wants rather than overriding it.
Cheers!
Brian Moon
Senior System Administrator, Enterprise Systems
Santa Clara University
On Fri, Aug 13, 2021 at 10:35 AM Ullfig, Roberto Alfredo <rullfig at uic.edu<mailto:rullfig at uic.edu>> wrote:
...but then that breaks my code to have user exceptions in mfa-authn-config.xml. Is there a way to force it by application in relying-party yet still have a user exception?
---
Roberto Ullfig - rullfig at uic.edu<mailto:rullfig at uic.edu>
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: Ullfig, Roberto Alfredo <rullfig at uic.edu<mailto:rullfig at uic.edu>>
Sent: Friday, August 13, 2021 12:28 PM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: Forcing MFA for some SPs and not Others
That was it, was too quick to remove the code I had in relying-party.
---
Roberto Ullfig - rullfig at uic.edu<mailto:rullfig at uic.edu>
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> on behalf of Ullfig, Roberto Alfredo <rullfig at uic.edu<mailto:rullfig at uic.edu>>
Sent: Friday, August 13, 2021 12:15 PM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: Forcing MFA for some SPs and not Others
I had been using relying-party before but wanted more control so moved everything entirely to mfa-authn-config.xml. I can try with some of the old relying party code again, thanks.
---
Roberto Ullfig - rullfig at uic.edu<mailto:rullfig at uic.edu>
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> on behalf of Brian Moon via users <users at shibboleth.net<mailto:users at shibboleth.net>>
Sent: Friday, August 13, 2021 12:11 PM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Cc: Brian Moon <bmoon at scu.edu<mailto:bmoon at scu.edu>>
Subject: Re: Forcing MFA for some SPs and not Others
Hello Roberto,
Check out this bit of documentation here: https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1474297850/Supporting+the+REFEDS+MFA+Profile<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fnam04.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fshibboleth.atlassian.net*2Fwiki*2Fspaces*2FKB*2Fpages*2F1474297850*2FSupporting*2Bthe*2BREFEDS*2BMFA*2BProfile%26data%3D04*7C01*7Crullfig*40uic.edu*7C258bf517821b4285086108d95e7df309*7Ce202cd477a564baa99e3e3b71a7c77dd*7C0*7C0*7C637644717300972742*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DkzRqsYVnFdjgtwE*2ByLkXfdxSae77TaUeHPJXf9GQq6c*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!MLMg-p0Z!U8iVwiYgYuzIXyJ-bCxnu9wCEbVsa5F5PFNbLHjXA6zbu58K5u8_ZQKaAAn8%24&data=04%7C01%7Crullfig%40uic.edu%7Cacce3c51f35545d13f3708d95e8194e2%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637644732916321248%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YQk%2FxoU39ofqiXn%2BCwiQ6DIfDxJF2N0fSd94HI1K4Ww%3D&reserved=0>
Basically what you need to do is ensure that you are directing everything to the MFA flow. Within the MFA flow, follow the example to check to see if a second factor is needed and then pass on control as needed.
You will also need to ensure that you have the MFA principals defined and then use conf/relying-party.xml to require MFA for certain SPs.
Hope that helps
Brian Moon
Senior System Administrator, Enterprise Systems
Santa Clara University
On Fri, Aug 13, 2021 at 10:02 AM Wessel, Keith <kwessel at illinois.edu<mailto:kwessel at illinois.edu>> wrote:
That’s not true if you hve MFA configured properly. The second MFA should see that the currently satisfied authentication methods isn’t sufficient and should prompt the user for step-up authentication. That is, it’ll skip asking the user for their username and password again but will go straight to the MFA prompt.
Keith
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> On Behalf Of Ullfig, Roberto Alfredo
Sent: Friday, August 13, 2021 11:56 AM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Forcing MFA for some SPs and not Others
Is there a way for Shibboleth to create different cookies for different SPs? For instance, if I force MFA on an application on the IDP side I can easily get around MFA by logging into another SP that doesn't require MFA first because I've already identified myself.
---
Roberto Ullfig - rullfig at uic.edu<mailto:rullfig at uic.edu>
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
--
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!MLMg-p0Z!WKibHMkiKehbRt_aA4QztTnM5sRY5yu43iAKRJPn2yGtdRNId64dO-3wEJMV$<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fnam04.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2F*2Fshibboleth.atlassian.net*2Fwiki*2Fx*2FZYEpPw__*3B!!MLMg-p0Z!WKibHMkiKehbRt_aA4QztTnM5sRY5yu43iAKRJPn2yGtdRNId64dO-3wEJMV*24%26data%3D04*7C01*7Crullfig*40uic.edu*7C258bf517821b4285086108d95e7df309*7Ce202cd477a564baa99e3e3b71a7c77dd*7C0*7C0*7C637644717300972742*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DLiLk0q5NstfLI39*2FAydfbI1p0C4kNnn3Sde3bweLJds*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!MLMg-p0Z!U8iVwiYgYuzIXyJ-bCxnu9wCEbVsa5F5PFNbLHjXA6zbu58K5u8_ZWFLifAW%24&data=04%7C01%7Crullfig%40uic.edu%7Cacce3c51f35545d13f3708d95e8194e2%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637644732916331210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8kXvC7KK3rSRpjgc06mnxODLwwxfNMF0%2F7KWaQExXPQ%3D&reserved=0>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
--
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!MLMg-p0Z!U8iVwiYgYuzIXyJ-bCxnu9wCEbVsa5F5PFNbLHjXA6zbu58K5u8_ZWi4nnHM$<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw__%3B!!MLMg-p0Z!U8iVwiYgYuzIXyJ-bCxnu9wCEbVsa5F5PFNbLHjXA6zbu58K5u8_ZWi4nnHM%24&data=04%7C01%7Crullfig%40uic.edu%7Cacce3c51f35545d13f3708d95e8194e2%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637644732916331210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=988Yl98tVXBjS4u3Fd%2Fx6Wm5FNaQFtMyL7dfbg7BMzM%3D&reserved=0>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210813/0705cf7a/attachment.htm>
More information about the users
mailing list