MDDriven overrides for defaultAuthenticationMethods

Andrew Jason Morgan morgan at oregonstate.edu
Wed Nov 24 20:47:30 UTC 2021 

We started using metadata-driven configuration for new SSO setups a while ago, but we still have some relying-party.xml overrides in place for SPs that we haven't migrated to metadata-driven configuration yet.  I setup a new SP recently (metadata-driven config) that requires MFA, but my testing shows that the MFA requirement is not being enforced.  As I played around with the configuration, I learned that the metadata config is not overriding the DefaultRelyingParty configuration for defaultAuthenticationMethods in relying-party.xml.  Here is the snippet from relying-party.xml:

                <bean parent="SAML2.SSO.MDDriven" p:postAuthenticationFlows="#{{'duoman-warn', 'context-check'}}">
                        <property name="defaultAuthenticationMethods">
                                <list>
                                        <ref bean="MFASAML2Principal" />
                                        <ref bean="PasswordPrincipal" />
                                </list>
                        </property>
                </bean>

where those methods are:

    <!-- MFA authenticationContextClass setup -->
    <bean id="MFASAML2Principal" parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/mfa" />

    <!-- PasswordProtectedTransport authenticationContextClass setup -->
    <bean id="PasswordPrincipal" parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />

The SP metadata contains the exact text from the wiki to set defaultAuthenticationMethods:

  <Extensions>
    <mdattr:EntityAttributes>
      <saml:Attribute Name="http://shibboleth.net/ns/attributes/releaseAllValues" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>eduPersonPrincipalName</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="http://shibboleth.net/ns/profiles/defaultAuthenticationMethods" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>https://refeds.org/profile/mfa</saml:AttributeValue>
      </saml:Attribute>
      <!-- The disallowedFeatures setting is a bitmask, and 0x1 blocks SPs requesting authentication types. -->
      <saml:Attribute Name="http://shibboleth.net/ns/profiles/disallowedFeatures" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>0x1</saml:AttributeValue>
      </saml:Attribute>
    </mdattr:EntityAttributes>
  </Extensions>

If I comment out the defaultAuthenticationMethods from the DefaultRelyingParty config, MFA is enforced correctly.

Is this the expected behavior?

Maybe I don't need to set defaultAuthenticationMethods in the DefaultRelyingParty anyway...


Thanks,
​Andy Morgan, Identity & Access Management, IT Operations and Identity
Oregon State University | University Information and Technology | 541-737-8877
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211124/9977dbc7/attachment.htm>

More information about the users mailing list