MDDriven overrides for defaultAuthenticationMethods

Andrew Jason Morgan morgan at oregonstate.edu
Thu Nov 25 01:46:32 UTC 2021 

I think I can answer my own question...  The only flow I have enabled (idp.authn.flows=MFA) is the MFA flow.  If a request specifies an accRef not in its list of supportedPrincipals, it should return a SAML error.  If a request does not specify an accRef, the MFA flow will run and one of the accRefs will return depending whether Duo was performed or not.

There should be no practical effect if I remove the defaultAuthenticationMethods setting.

Do I have that correct?  🙂

Andy

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Andrew Jason Morgan <morgan at oregonstate.edu>
Sent: Wednesday, November 24, 2021 5:26 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: MDDriven overrides for defaultAuthenticationMethods

It seems​ like I should be able to remove my defaultAuthenticationMethods setting from the DefaultRelyingParty.  Our authn/MFA flow has:

            <property name="supportedPrincipals">
                <list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="https://refeds.org/profile/mfa" />
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
                </list>
            </property>

and defaultAuthenticationMethods allows "https://refeds.org/profile/mfa" and "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport".

What happens if an SP requests an accRef that is not in the authn/MFA supportedPrincipals list?  We have idp.authn.flows=MFA, and it uses the authn/Password and authn/Duo flows internally.

Thanks,
Andy


________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Wednesday, November 24, 2021 4:14 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: MDDriven overrides for defaultAuthenticationMethods

[This email originated from outside of OSU. Use caution with links and attachments.]

On 11/24/21, 6:23 PM, "users on behalf of Andrew Jason Morgan" <users-bounces at shibboleth.net on behalf of morgan at oregonstate.edu> wrote:

>    What happens if I don't set defaultAuthenticationMethods in the DefaultRelyingParty?  I have
> idp.authn.flows=MFA, and I have defined the supportedPrincipals for authn/MFA.  Do I need to "turn off"
> other flows at all?  I wonder if my defaultAuthenticationMethods setting is just vestigial at this point....

They're for different purposes. The supportedPrincipals property of a login method determines what that method supports so that if something is requested, it knows whether it should try that flow. It generally also auto-populates the result of the flow with those classes.

The defaultAuthenticationMethods property is an IdP-side imposition of a requirement that takes the place of an SP requesting something and is basically in SAML terms the same as if the SP requested an exact match of one of those classes.

Setting anything on the DefaultRelyingParty beans applies if there's no override that directs it to use a different configuration. An override could take effect, and if metadata is involved, the metadata would apply, but only if the override did. Otherwise the default would apply and the explicit setting there would win.

Combining things gets tricky, but is deterministic.

-- Scott


--
For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=04%7C01%7Cmorgan%40oregonstate.edu%7Ce4e0cddf4b2d4e81a1f308d9afa8988d%7Cce6d05e13c5e4d6287a84c4a2713c113%7C0%7C0%7C637733960914345267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fjzT5q%2FO357W8HS5nq073dfILFfTuqKdtOSndYJXkp8%3D&reserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=04%7C01%7Cmorgan%40oregonstate.edu%7Cf8cc5bf3f4f148f20c5e08d9afb2955f%7Cce6d05e13c5e4d6287a84c4a2713c113%7C0%7C0%7C637734004214970362%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=JxkQWjRDWQc6I2FT1WrXYzkMsoSzc%2FAK63Z45mlefWA%3D&reserved=0>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211125/a5598072/attachment.htm>

More information about the users mailing list