Ex: Reuse MFA flow bean

Wessel, Keith kwessel at illinois.edu
Fri Sep 17 14:37:02 UTC 2021


Nice! If I understand correctly, the MFA flow will only re-run if the user hasn't already satisfied all factors, correct? That way, you're not running the MFA flow again if there's nothing more for it to do?

Thanks for sharing this.


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Paul B. Henson
Sent: Thursday, September 16, 2021 2:43 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Ex: Reuse MFA flow bean

On Wed, Sep 15, 2021 at 03:24:11PM +0000, Wessel, Keith wrote:
> Are there any examples out there yet of what I can do with this bean 
> to perhaps get me headed down the right path? I see none o the wiki. I 
> welcome any suggestions.

Here's what I'm currently using. Basically, if the user has already done MFA, reuse it, if they haven't check to see if they need to.

            var result = false;
            var logger = Java.type("org.slf4j.LoggerFactory").getLogger("authn_mfa_reuse");
            var authnCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
            if (authnCtx != null) {
                var authn_result = authnCtx.getActiveResults().get("authn/MFA");
                    if (authn_result != null) {
                        var principals = authn_result.getSubject().getPrincipals();
                            function(principal) {
                                if (principal instanceof Java.type("net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal")) {
                                    var name = principal.getName();
                                    logger.debug("considering principal " + name);
                                    if (name.equals("https://urldefense.com/v3/__https://refeds.org/profile/mfa__;!!DZ3fjg!tfbwToAkSBVuQzVAlLYXrRJIypH0mfjl-XBJR4056xIgoOQIf6vibO1gKzHxSwONfw$ ")) {
                                        logger.debug("authn/MFA flow reusable");
                                        result = true;
                    } else {
                        logger.error("no authn/MFA result found");
                } else {
                    logger.error("AuthenticationContext is null");

            logger.debug("returning " + result);

Paul B. Henson  |  (909) 979-6361  |  https://urldefense.com/v3/__http://www.cpp.edu/*henson/__;fg!!DZ3fjg!tfbwToAkSBVuQzVAlLYXrRJIypH0mfjl-XBJR4056xIgoOQIf6vibO1gKzGXYqxT3g$
Operating Systems and Network Analyst  |  henson at cpp.edu California State Polytechnic University  |  Pomona CA 91768
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!tfbwToAkSBVuQzVAlLYXrRJIypH0mfjl-XBJR4056xIgoOQIf6vibO1gKzHvTQTQjw$
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list