Need help setting up Shibboleth 4.1 for MFA support for REFEDS/NIH

Murphy, Patrick murphyp1 at msu.edu
Wed Jul 28 18:51:50 UTC 2021


We are installing a new Shibboleth 4.1.2 IdP.  We have it working with some of our existing sites that were migrated from V2.  I need to figure out how to setup the MFA component to convert the MFA attributes supplied by our Okta SSO solution into the required ones for REFEDS/NIH.  I am new to Shibboleth and the whole Spring beans configuration mechanism, so any pointers would be appreciated.

Here are the attribute values returned from Okta:

<saml2:AuthnStatement AuthnInstant="2021-07-27T18:56:30.122Z"
SessionIndex="_685bb706e2a3ecaa1d6ce10af4f826ef"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml2:AuthnContext>
    <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
  </saml2:AuthnContext>
</saml2:AuthnStatement>

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="authenticationContext"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>swk</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>mfa</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>pwd</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>

I need to convert the attribute value to:

<saml2:AuthnStatement AuthnInstant="2021-07-27T18:56:30.122Z"
SessionIndex="_685bb706e2a3ecaa1d6ce10af4f826ef"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml2:AuthnContext>
    <saml2:AuthnContextClassRef>https://refeds.org/profile/mfa</saml2:AuthnContextClassRef><https://refeds.org/profile/mfa%3c/saml2:AuthnContextClassRef%3e>
  </saml2:AuthnContext>
</saml2:AuthnStatement>


Thanks for any help you can provide.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210728/a1c40c61/attachment.htm>


More information about the users mailing list