Shib Authn Proxy to Azure and Asserting REFEDS

Jeffrey Williams jfwillia at uncg.edu
Fri Jan 22 22:03:15 UTC 2021 

Hi All,

I'm trying to configure Shibboelth v4.0.1 to assert
https://refeds.org/profile/mfa after a user MFA's via proxy to Azure and am
running into some interesting questions.

I have a semi-working instance of running in development that is doing
proxying to Azure using the instructions given at:

https://wiki.shibboleth.net/confluence/display/KB/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD

(note, some additional work to the Azure metadata and subject-c14n.xml were
needed, but not much)

The issue I'm currently dealing with is that Azure AD doesn't have it
clearly documented what AuthnContexts one can request from it aside from
<https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-saml-tokens#claims-in-saml-tokens:~:text=authenticated.-,%3CAuthnContextClassRef%3E,%3C%2FAuthnContextClassRef%3E>

http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod/password

What Azure seems to do instead is return the above AuthnContext and include
an attribute http://schemas.microsoft.com/claims/authnmethodsreferences
which returns the various authn's the user performed.

The example code in authn-comparison.xml seems to indicate that it'll
happily convert between AuthnContexts using shibboleth.
PrincipalProxyResponseMapping
<https://wiki.shibboleth.net/confluence/display/IDP4/AuthenticationConfiguration#AuthenticationConfiguration-AuthenticationTypeMapping:~:text=shibboleth.PrincipalProxyResponseMappings>s.
Will it also allow AuthnContextClassRef to be influenced by a value
returned in the attribute statement?

For example, if  within the AttributeStatement, an attribute
http://schemas.microsoft.com/claims/authnmethodsreferences contained a
value http://schemas.microsoft.com/claims/multipleauthn, could one map that
to a https://refeds.org/profile/mfa authnContextClassRef in the
AuthnStatement? Or is the mapping more simple than that?

If that's not possible, would it be possible to run a script after the
authn/SAML flow that would do the attribute check and update the
AuthnContext accordingly?  I've done scripting for determining when to
present the Duo iFrame, but I'm not sure if it's possible to replace the
AuthnContextClassRef value from a script or not.

Thanks!
-- 
Jeffrey Williams
Identity & Access Engineer
Identity & Access Services
https://its.uncg.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210122/51e81b3e/attachment.htm>

More information about the users mailing list