Shibboleth with Azure AD and handling REFEDS MFA compliance
DANIELSJ1 at chop.edu
Wed Jun 16 14:20:53 UTC 2021
We are working to get ready for the NIH requirements to support REFEDS MFA.
Currently our setup is Shibboleth 4.1 using this guide to proxy to Azure AD: https://wiki.shibboleth.net/confluence/display/KB/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD
I’ve implemented the Proxy task 6 to support AuthnContext and also edited authn.properties to add:
idp.authn.SAML.supportedPrincipals = \
However, when using the ERA compliance check tool which asserts the requirement for AuthnContext of https://refeds.org/profile/mfa, my IDP cannot find an appropriate flow to answer the request.
I’ve looked through other user list threads and haven’t found a solution.
DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:431] - Profile Action SelectAuthenticationFlow: Checking for inactive flow compatible with operator 'exact' and principal 'https://refeds.org/profile/mfa'
DEBUG [net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactoryRegistry:126] - Registry located predicate factory of type 'net.shibboleth.idp.authn.principal.impl.ExactPrincipalEvalPredicateFactory' for principal type 'class net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal' and operator 'exact'
INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:455] - Profile Action SelectAuthenticationFlow: None of the potential authentication flows can satisfy the request
We are forcing MFA on all requests that we proxy to Azure. So if there is an easier way where we can just assert the authn context, that would work too, but I have been unable to locate the correct way to do this.
Any guidance would be greatly appreciated. I’m not sure if I’m just not doing the 4.1 part correctly or what.
Principal Systems Engineer
Children's Hospital of Philadelphia Research Institute
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users