Authn.properties supported principals and MFA
Wessel, Keith
kwessel at illinois.edu
Thu Aug 19 19:46:18 UTC 2021
All,
I'm trying to make the switch from general-authn.xml to authn.properties, and everything's working except for the right auth context being returned to the SP. I have an SP that isn't requesting any explicit authn contexts and a user who's required by policy to perform 2FA. I'm expecting the Refeds MFA profile context to be returned to my SP, but it's reporting password. I have the Refeds MFA profile set in the supported principals for the Duo flow. It's also set for the MFA flow alongside the password principal.
I've also tried adding the MFA profile to the list of weighted responses in authn-comparison.xl. I assume that shouldn't be necessary because the IdP should be selecting a context from the last flow that ran inside the MFA flow which is Duo instead of selecting randomly from all principals supported by the MFA flow. Is that true? Nevertheless, I tried this:
<util:map id="shibboleth.AuthenticationPrincipalWeightMap">
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
</key>
<value>1</value>
</entry>
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/mfa" />
</key>
<value>2</value>
</entry>
</util:map>
It didn't change anything.
My relevant authn.properties settings look like:
idp.authn.Duo.supportedPrincipals = \
saml2/https://refeds.org/profile/mfa \
saml1/https://refeds.org/profile/mfa
idp.authn.MFA.supportedPrincipals = \
saml2/https://refeds.org/profile/mfa \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml1/https://refeds.org/profile/mfa \
saml1/urn:oasis:names:tc:SAML:1.0:am:password
Where am I going wrong on this?
Thanks,
Keith
More information about the users
mailing list