Using a different SP entity ID with the IdP SAML authn flow
Wessel, Keith
kwessel at illinois.edu
Mon Sep 20 15:54:27 UTC 2021
But I am coding defensively. That's how I'm catching the null value.
This code always falls through to my last else block and reports authentication context is null. I'm invoking it as the responder ID lookup strategy for the IdP that I'm proxying to:
<bean parent="RelyingPartyByName" c:relyingPartyIds="%{idp.saml-proxy.entityID}"
p:responderIdLookupStrategy-ref="proxySPEntityIDStrategy">
<property name="profileConfigurations">
<list>
<ref bean="SAML2.SSO"/>
</list>
</property>
</bean>
Here's my code in case you have suggestions to make it more defensive. But it's definitely running and falling through to that last else. If I can't get the authentication context, I obviously can't dig deeper to get the requested principals.
var spEntityID = "%{idp.entityID}";
var logger = Java.type("org.slf4j.LoggerFactory").getLogger("proxy_sp_entity_id");
var authnCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
if (authnCtx != null) {
var reqprCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.RequestedPrincipalContext");
if (reqprCtx != null) {
var requestedPrincipals = reqprCtx.getRequestedPrincipals();
requestedPrincipals.forEach(
function(principal) {
if (principal instanceof Java.type("net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal")) {
var name = principal.getName();
logger.debug("considering principal " + name);
if (name.equals("https://urldefense.com/v3/__https://refeds.org/profile/mfa__;!!DZ3fjg!vW22RRzj23r9dxYPR_WUJw5hXr6Apiemt8KpwPnkfd4LHqJBgGS05eG9woC7XaI$ ")) {
logger.debug("SP requested MFA");
spEntityID = "%{idp.entityID}:mfa";
}
else if (name.equals("urn:oasis:names:tc:SAML:2.0:ac:classes:Password")) {
logger.debug("SP requested password only");
spEntityID = "%{idp.entityID}:password";
}
}
}
);
} else {
logger.debug("No requested principals, using default");
}
} else {
logger.error("AuthenticationContext is null");
}
logger.debug("Using entity ID " + spEntityID);
spEntityID;
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Friday, September 17, 2021 7:31 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Using a different SP entity ID with the IdP SAML authn flow
On 9/17/21, 5:01 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
> The ProfileRequestContext (input in my bean) doesn't seem to contain the authentication context.
It's there once it's added, and it's not until it is. You're not coding defensively so that the function runs safely at all times.
-- Scott
--
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!uSW2hTiia7QnHeGTdimweYJrokmSwyXObF120IQuEUOeTFvisfzMkluvZaWZ7h9FKQ$
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list