Example Context to Principal Mapping Strategy

Sean Mason sean.mason at uwaterloo.ca
Mon Jun 7 13:26:16 UTC 2021

Hello Shibboleth Users!

Thanks to some help from the Shibboleth team I now have an upgraded Shibboleth IdP v4.1.2 running with the new DuoOIDC (Nimbus) plugin following the basic instructions, including SPs requesting an MFA Authentication Context.

I'm now attempting to experiment with a custom "Context to Principal Mapping Strategy" with the example outlined in: https://wiki.shibboleth.net/confluence/display/IDPPLUGINS/DuoOIDCAuthnConfiguration#duo-oidc-adv-principals

The example being:
<bean id="shibboleth.authn.DuoOIDC.ContextToPrincipalMappingStrategy" parent="shibboleth.ContextFunctions.Scripted"
           //setup logger and types
            logger = Java.type("org.slf4j.LoggerFactory").getLogger("org.example.duo.script");
            var ArrayList = Java.type("java.util.ArrayList");
            var ACR = Java.type("net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal");

            //create new output collection
            var principals = new ArrayList(1);

            var ac = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
            if (ac != null){
                var dc = ac.getSubcontext("net.shibboleth.idp.plugin.authn.duo.context.DuoOIDCAuthenticationContext");
                if (dc != null){
                     if (dc.getAuthToken() != null && "duo_push".equals(dc.getAuthToken().getJWTClaimsSet().getJSONObjectClaim("auth_context").get("factor"))){
                         principals.add(new ACR(http://example.org/ac/classes/mfa/strong));
            //return obj is the value of the last expression.

I inserted the example into conf/authn/duo-oidc-authn-config.xml

If I attempt the example verbatim the IdP throws an error stating:
"Invalid property 'outputType' of bean class [net.shibboleth.idp.profile.context.navigate.ScriptedContextLookupFunction]: Bean property 'outputType' is not writable or has an invalid setter method. Does the parameter type of the setter match the return type of the getter?"

If I remove 'p:outputType="java.util.Collection"' from the example I'm able to progress (though now I'm in unknown territory).  The supplied script does execute without the outputType attribute. I've added some logging to the example to show that.  What I am finding is:

1) input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");  -- pulls a value, "ac"
2) ac.getSubcontext("net.shibboleth.idp.plugin.authn.duo.context.DuoOIDCAuthenticationContext"); -- results in a null value.  The Duo JWT claimset/Subcontext isn't available for some reason.  (At least, it isn't available using the supplied method after changing the bean definition by removing the outputType)

In the logs I see the http client:
DEBUG [org.apache.http.wire:73] - http-outgoing-3 >> "POST /oauth/v1/token HTTP/1.1[\r][\n]"
which returns:
DEBUG [org.apache.http.wire:73] - http-outgoing-3 << "HTTP/1.1 200 OK[\r][\n]"
... along with some gzip content I cannot read from the logs.

I then see:
INFO [net.shibboleth.idp.plugin.authn.duo.impl.ValidateDuoTokenAuthenticationResult:186] - Profile Action ValidateDuoTokenAuthenticationResult: Duo 2FA authentication succeeded for 'user-redacted', which suggests to me the plugin believes Duo Auth was successful.

So it appears the Duo authn is successful, but I'm unable to obtain the result from shibboleth.authn.DuoOIDC.ContextToPrincipalMappingStrategy when using the example code?  Any idea of what I've missed?  Perhaps it relates to having to remove the p:outputType from the example?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210607/38555765/attachment.htm>

More information about the users mailing list