Shibboleth with Azure AD and handling REFEDS MFA compliance

Daniels, John DANIELSJ1 at chop.edu
Wed Jun 16 14:20:53 UTC 2021 

We are working to get ready for the NIH requirements to support REFEDS MFA.
Currently our setup is Shibboleth 4.1 using this guide to proxy to Azure AD: https://wiki.shibboleth.net/confluence/display/KB/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD

I’ve implemented the Proxy task 6 to support AuthnContext and also edited authn.properties to add:
idp.authn.SAML.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
   saml1/urn:oasis:names:tc:SAML:1.0:am:password, \
    saml2/https://refeds.org/profile/mfa

However, when using the ERA compliance check tool which asserts the requirement for AuthnContext of https://refeds.org/profile/mfa, my IDP cannot find an appropriate flow to answer the request.
I’ve looked through other user list threads and haven’t found a solution.

DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:431] - Profile Action SelectAuthenticationFlow: Checking for inactive flow compatible with operator 'exact' and principal 'https://refeds.org/profile/mfa'
DEBUG [net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactoryRegistry:126] - Registry located predicate factory of type 'net.shibboleth.idp.authn.principal.impl.ExactPrincipalEvalPredicateFactory' for principal type 'class net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal' and operator 'exact'
INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:455] - Profile Action SelectAuthenticationFlow: None of the potential authentication flows can satisfy the request

We are forcing MFA on all requests that we proxy to Azure. So if there is an easier way where we can just assert the authn context, that would work too, but I have been unable to locate the correct way to do this.

Any guidance would be greatly appreciated. I’m not sure if I’m just not doing the 4.1 part correctly or what.

Thanks,
John

--
John Daniels
Principal Systems Engineer
Children's Hospital of Philadelphia Research Institute


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210616/920d9dba/attachment.htm>

More information about the users mailing list