Forcing MFA for some SPs and not Others

Ullfig, Roberto Alfredo rullfig at uic.edu
Fri Aug 13 20:42:16 UTC 2021 

> For instance, if I force MFA on an application on the IDP side I can easily get around MFA by logging into another SP that doesn't require MFA first because I've already identified myself.

> Reuse of the Entire authn/MFA Flow Result (When Is a MFA Next Flow Strategy Executed?)

OK thanks for that, but that's no longer the issue I see after putting relying-party back to how it was originally. Now what I see is that the behavior is fine for any users not entitled to an exception. It's the users with the exceptions that are failing on the FIRST login to any app which is forced to use MFA (or requests MFA)  - this bit of code:

                // Entitlement group excepted from Duo
                if( epe != null && epe.getValues().contains(new stringType("https://shibboleth.uic.edu/entitlement/shibexemptfromduo")) )
                {
                    if( mfaCtx.isAcceptable() )
                    {
                        nextFlow = null;
                    }
                }

With that if statement nextFlow is still set to "authn/Duo" - without the if statement I get various errors depending on the application. With ITrust I get:

Status: urn:oasis:names:tc:SAML:2.0:status:Requester
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext
Message: An error occurred.

So are we still talking about the same thing?

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Mak, Steve <makst at upenn.edu>
Sent: Friday, August 13, 2021 1:53 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Forcing MFA for some SPs and not Others

        > For instance, if I force MFA on an application on the IDP side I can easily get around MFA by logging into another SP that doesn't require MFA first because I've already identified myself.

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fspaces%2FIDP4%2Fpages%2F1265631610%2FMultiFactorAuthnConfiguration%23Reuse-of-the-Entire-authn%2FMFA-Flow-Result-&data=04%7C01%7Crullfig%40uic.edu%7C28334c9bb0ef4e25be3c08d95e8bb8bf%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637644776505616231%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ADZh%2BcOctd5eI4MtPbOygd6VByqJaf3CcIhudsUaCAg%3D&reserved=0(When-Is-a-MFA-Next-Flow-Strategy-Executed?)

Reuse of the Entire authn/MFA Flow Result (When Is a MFA Next Flow Strategy Executed?)

As with any other login flow, if the IdP determines that an active MFA flow result with a particular principal satisfies a request it will reuse the entire MFA result with that principal. As such the IdP will not rerun the authn/MFA flow and any logic in a next flow strategy in the transition map will not have a chance to execute a second time for that user.

The IdP may, however, be configured so that the IdP runs the MFA flow and executes the next flow strategy logic even if the result would normally satisfy the request.

There is an explicit property you can set on the login flow descriptor bean in authn/general-authn.xml (V4.0), or by defining a bean and setting a corresponding idp.authn.MFA.reuseCondition property (V4.1+) that attaches a second kind of condition logic to the login flows called a "reuse condition".



--
For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=04%7C01%7Crullfig%40uic.edu%7C28334c9bb0ef4e25be3c08d95e8bb8bf%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637644776505616231%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8%2FcoN%2FGnnOvr1PnA%2BMylkZSbSqRmQzK22gzwUrkkdfo%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210813/57e69752/attachment.htm>

More information about the users mailing list