Shib Authn Proxy to Azure and Asserting REFEDS

Jeffrey Williams jfwillia at uncg.edu
Mon Jan 25 19:57:58 UTC 2021 

On Mon, Jan 25, 2021 at 12:13 PM Chris Phillips <Chris.Phillips at canarie.ca>
wrote:

> Hi Jeffrey..
>
> Thanks for the feedback on the KB article!
>

No problem!  If it helps, I'm happy to share specifics on what I did that
wasn't included.  Robert Bradley at Oxford was also able to clue me into
the proxy request and response mappings in authn-comparison.xml, so we can
translate MFA requests from the SP into something


>
>
> One way to look at the MFA approach is that **all** accounts from Azure
> AD require MFA to go through the Shib IdP Proxy. Therefore, all accounts
> are MFA by default. If this is true for your Azure tenant, you can work on
> attesting an AuthNContext as REFEDS MFA. I don’t have precise settings for
> that for the KB article however.  If you go this route, let me know and
> will work it into the article..
>

Since MFA has been mandated at the university system level for NC, we will
be in the 100% MFA usage scenario.


>
>
> While it sounds like an easy win, it only works for 100% MFA coverage  --
> or at least 100% coverage of the _*users*_  through that proxy instance –
> ie an MFA only IdP. I cringe more than a bit though – it doesn’t scale well
> and may not be very palatable (or allowed?) for the same scopes inside a
> given federation.
>

Can you elaborate a bit on the scalability issue?  It may be a non-issue
for this deployment, but I'm curious.


>
>
>
> *From: *"users-bounces at shibboleth.net" <users-bounces at shibboleth.net> on
> behalf of SHIB-USERS <users at shibboleth.net>
> *Reply-To: *SHIB-USERS <users at shibboleth.net>
> *Date: *Friday, January 22, 2021 at 5:03 PM
> *To: *SHIB-USERS <users at shibboleth.net>
> *Cc: *Jeffrey Williams <jfwillia at uncg.edu>
> *Subject: *Shib Authn Proxy to Azure and Asserting REFEDS
>
>
>
> Hi All,
>
>
>
> I'm trying to configure Shibboelth v4.0.1 to assert
> https://refeds.org/profile/mfa after a user MFA's via proxy to Azure and
> am running into some interesting questions.
>
>
>
> I have a semi-working instance of running in development that is doing
> proxying to Azure using the instructions given at:
>
>
>
>
> https://wiki.shibboleth.net/confluence/display/KB/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD
>
>
>
> (note, some additional work to the Azure metadata and subject-c14n.xml
> were needed, but not much)
>
> The issue I'm currently dealing with is that Azure AD doesn't have it
> clearly documented what AuthnContexts one can request from it aside from
> <https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-saml-tokens#claims-in-saml-tokens:~:text=authenticated.-,%3CAuthnContextClassRef%3E,%3C%2FAuthnContextClassRef%3E>
>
>
> http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod/password
>
> What Azure seems to do instead is return the above AuthnContext and
> include an attribute
> http://schemas.microsoft.com/claims/authnmethodsreferences which returns
> the various authn's the user performed.
>
> The example code in authn-comparison.xml seems to indicate that it'll
> happily convert between AuthnContexts using shibboleth.
> PrincipalProxyResponseMapping
> <https://wiki.shibboleth.net/confluence/display/IDP4/AuthenticationConfiguration#AuthenticationConfiguration-AuthenticationTypeMapping:~:text=shibboleth.PrincipalProxyResponseMappings>s.
> Will it also allow AuthnContextClassRef to be influenced by a value
> returned in the attribute statement?
>
> For example, if  within the AttributeStatement, an attribute
> http://schemas.microsoft.com/claims/authnmethodsreferences contained a
> value http://schemas.microsoft.com/claims/multipleauthn, could one map
> that to a https://refeds.org/profile/mfa authnContextClassRef in the
> AuthnStatement? Or is the mapping more simple than that?
>
>
>
> If that's not possible, would it be possible to run a script after the
> authn/SAML flow that would do the attribute check and update the
> AuthnContext accordingly?  I've done scripting for determining when to
> present the Duo iFrame, but I'm not sure if it's possible to replace the
> AuthnContextClassRef value from a script or not.
>
>
>
> Thanks!
>
> --
>
> Jeffrey Williams
>
> Identity & Access Engineer
> Identity & Access Services
> https://its.uncg.edu
>
>
>
> [image: Image removed by sender.]
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>


-- 
Jeffrey Williams
Identity & Access Engineer
Identity & Access Services
https://its.uncg.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210125/68789469/attachment.htm>

More information about the users mailing list