MFA flow with TOTP plugin

Phil Chapman phil.chapman at adept.co.uk
Wed Jul 21 16:55:12 UTC 2021


Hello again,

In authn-comparison.xml I have now defined the following AuthenticationPrincipalWeightMap...

<util:map id="shibboleth.AuthenticationPrincipalWeightMap">
  <entry>
    <key>
      <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
    </key>
    <value>1</value>
  </entry>
  <entry>
    <key>
      <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken" />
    </key>
    <value>2</value>
  </entry>
</util:map>

...but I'm still struggling to make my MFA flow work the way that I'd like.  Can someone tell me whether the following combination is possible?

1. SPs do not specify an authentication method.

2. IdP has MFA flow enabled and always starts with the Password flow.

3. If Password auth succeeds, a bean in mfa-authn-config.xml decides whether the user needs to move on to the TOTP plugin/flow, based on the entityID of the SP and an attribute query performed against the user's account.

4. If the user does complete the TOTP plugin/flow then the authentication method reported to the SP is ...TimeSyncToken.  If the user doesn't visit the TOTP plugin/flow then the authentication method reported to the SP is ...PasswordProtectedTransport.  In this way, the SP gets confirmation of whether TOTP auth happened successfully at the IdP (so someone who is required to use TOTP but didn't because they had no token registered can be forced to register one by the SP).


My current configuration contains:

* In authn.properties (many lines omitted!):

idp.authn.flows = MFA

idp.authn.Password.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

idp.authn.TOTP.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken

idp.authn.MFA.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

* In mfa-authn-config.xml, there's a configuration based closely on the example in the Wiki (under "Programmatically Selecting Flows") which seems to be working as intended.

* In the shibboleth.DefaultRelyingParty bean within relying-party.xml:

<bean parent="SAML2.SSO">
  <property name="defaultAuthenticationMethods">
    <list>
      <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
    </list>
  </property>
</bean>


Points 2 and 3 seem to be working fine but the authentication method reported to the SP is always ...PasswordProtectedTransport - judging by the logs, because the "defaultAuthenticationMethods" property says that's what the SP wants.

If I add a "RelyingPartyByName" override to relying-party.xml, specifying "defaultAuthenticationMethods" as ...TimeSyncToken for selected SPs, then that's what's always reported to those SPs, even if TOTP wasn't used.

If I include both ...PasswordProtectedTransport and ...TimeSyncToken in the DefaultRelyingParty "defaultAuthenticationMethods" then whichever one of these appears first in the <list> is reported to the SP, whether or not TOTP was used.

How can the authentication method reported to the SP be ...PasswordProtectedTransport by default, but be "upgraded" to ...TimeSyncToken if (and only if) the TOTP plugin/flow is used?  It feels like my AuthenticationPrincipalWeightMap isn't working - or do I need to do something with "inexact" matching?

Guidance would be appreciated, as always.
Phil.

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: 01 June 2021 14:51
To: Shib Users <users at shibboleth.net>
Subject: Re: MFA flow with TOTP plugin

>    2. If an SP didn't specify a preferred authentication method

SAML doesn't do "preferred" methods. There's required and there's "I don't care", nothing in between.

> during initiation of the login, then is there any way for the SP to discover afterwards whether or not TOTP was
> used? The idp.authn.TOTP.addDefaultPrincipals configuration property implies that
> urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken will be added to the results, but after successful 2FA
> the ShibAuthenticationMethod and ShibAuthnContextClass server variables still only show
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

https://wiki.shibboleth.net/confluence/display/IDP4/AuthenticationConfiguration

"Note that if you associate more than one supportedPrincipal value with a flow, the IdP will ordinarily pick one at random to use as a SAML "result" when it builds an assertion, assuming the SP didn't request a specific one. If you need to guarantee that a particular one will be used as a default, you can assign "weights" to them in a map bean that's defined in the authn-comparison.xml file named shibboleth.AuthenticationPrincipalWeightMap"

-- Scott

Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210721/1ba2e383/attachment.htm>


More information about the users mailing list