Fun with proxying to AzureAD
Tony Skalski
ajs at stolaf.edu
Mon Jun 7 18:34:46 UTC 2021
Are you referring to the fact that the SP is requesting the
https://refeds.org/profile/mfa AuthnContextClassRef but Azure is returning
something like "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"?
I dealt with a similar situation with proxying to Google - whose IdP only
returns "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified". See my email
to the list from Feb 24 subject: "addDefaultPrincipals vs
PrincipalProxyResponseMappings". I solved it by adjusting
the PrincipalProxyResponseMappings in conf/authn/authn-comparison.xml -
basically telling the IdP
that urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified is as good
as urn:oasis:names:tc:SAML:2.0:ac:classes:Password.
If there is a way to get Azure to implement https://refeds.org/profile/mfa
that would be preferable. IIRC someone on one of the Shib NIH MFA calls
mentioned that Microsoft was working on this, but I could be misremembering
things. My solution is not optimal as it somewhat misrepresents the
authentication (in our case MFA is enforced by Google for all accounts),
but I had no hope that Google was going to fix it anytime soon.
ajs
On Fri, Jun 4, 2021 at 2:45 PM mat houser <mhouser at uwm.edu> wrote:
> Hello all,
>
> We're working on proxying our Shib IdP to Azure mostly to get our
> student population enrolled in an MFA solution. Everything appears to be
> working properly except for the https://refeds.org/profile/mfa business
> breaking things when the user hits the Azure login page.
>
> I saw that there was a thread around January on this topic, but is there
> any documentation around on what we would need to do to proxy requests
> from SPs that are requiring the MFA context, or does anybody have any
> examples of how other institutions have addressed this issue?
>
> Thanks in advance,
>
> -Mat
>
> --
> -------------
> mat:houser
> mhouser at uwm.edu
> uwm:uits:iam-support
> -------------
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
--
*Tony Skalski*
System Administrator | IT
*Office: *507-786-3227 <(507)786-3227>
1510 St. Olaf Avenue Northfield, MN 55057
stolaf.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210607/32935c5f/attachment.htm>
More information about the users
mailing list