per SP override of MFA in IdP

IAM David Bantz dabantz at alaska.edu
Fri Aug 27 17:43:40 UTC 2021 

Our IdP triggers Duo MFA based on user-enrollment indicated in assurance
attribute (parsed in mfa-authn-config.xml) - i.e., for any relying party.
That’s worked just fine for years, but I’m now being required to enable
exemptions for particular SPs; that is, even if the user is enrolled in Duo
MFA, do not require Duo when accessing that SP. (Yes we know it’s not a
good idea, especially for the SPs likely to be exempted.)

For the sake of current issue, ignore or pretend there are no requests with
authn context specified in the incoming request, and there are no relevant
contexts other than PPT and REFEDS MFA.

The mfa-authn-config.xml logic should look at allowed authn contexts and
either proceed normally, relying on the assurance attribute, or override
that based on per-entity relying party override in relying-party.xml. I’ve
tried to indicate the default behavior, then provide override where
necessary, like these snippets from relying-party.xml. I may be doing this
part wrong and am asking for correction if so.


<!-- defaultAuthenticationMethods in SAML2.SSO sends authN to MFA flow (per
principal names defined in general-authn.xml -->
    <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
        <property name="profileConfigurations">
            <list>
                <bean parent="Shibboleth.SSO" />
               ...
                <bean parent="SAML2.SSO"
                        p:defaultAuthenticationMethods="#{{'
https://refeds.org/profile/mfa','urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'}}"
/>
                 ...
            </list>
        </property>
    </bean>

    <!-- Container for any overrides you want to add. -->

    <util:list id="shibboleth.RelyingPartyOverrides">

<!-- Services requesting PasswordOnly authentication, i.e., bypass Duo MFA
even for enrolled users -->
<!-- The requested override PPT method/context is used in MFA flow to flag
bypass Duo MFA -->

    <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'
https://iam.alaska.edu/shibboleth'}}">
        <property name="profileConfigurations">
            <list>
                <bean parent="SAML2.SSO"

p:defaultAuthenticationMethods="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
                 />
            </list>
        </property>
    </bean>

Thanks !

David St. Pierre Bantz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210827/dea36cb3/attachment.htm>

More information about the users mailing list