MFA login flow and reuse-condition

Ulf Seltmann ulf.seltmann at hmt-leipzig.de
Thu Apr 14 07:06:10 UTC 2022 

Hello list,

I am trying to establish a configuration to force MFA for specific services and reuse password auth. For this i override the relyingParty configuration like this:

relying-party.xml:
```xml
...
<util:list id="shibboleth.RelyingPartyOverrides">
...
  <bean parent="RelyingPartyByName">

    <constructor-arg name="relyingPartyIds">
      <list>
        <value>https://mfa.example.com/shibboleth</value>
      </list>
    </constructor-arg>

    <property name="profileConfigurations">
      <list>
        <bean parent="SAML2.SSO" p:disallowedFeatures-ref="SAML2.SSO.FEATURE_AUTHNCONTEXT">
          <property name="defaultAuthenticationMethods">
            <list>
              <bean parent="shibboleth.SAML2AuthnContextClassRef" 
                c:classRef="urn:de:zedat:fudis:SAML:2.0:ac:classes:CR" />
            </list>
          </property>
        </bean>

        <ref bean="SAML2.Logout" />
        <ref bean="SAML2.AttributeQuery" />
        <ref bean="SAML2.ArtifactResolution" />
      </list>
    </property>
  </bean>

</util:list>
...
```

authn.properties:
```ini
...
idp.authn.flows = MFA

idp.authn.MFA.supportedPrincipals = \
  saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
  saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
  saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
  saml1/urn:oasis:names:tc:SAML:1.0:am:password, \
  saml2/urn:de:zedat:fudis:SAML:2.0:ac:classes:CR

idp.authn.MFA.reuseCondition=shibboleth.Conditions.FALSE
idp.authn.Password.reuseCondition=shibboleth.Conditions.TRUE
idp.authn.fudiscr.reuseCondition=shibboleth.Conditions.FALSE
```

mfa-authn-config.xml:
```xml
...
<util:map id="shibboleth.authn.MFA.TransitionMap">
  <entry key="">
    <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password"/>
  </entry>
    <entry key="authn/Password">
      <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor"/>
    </entry>
</util:map>

<bean 
  id="checkSecondFactor" 
  parent="shibboleth.ContextFunctions.Scripted" 
  factory-method="inlineScript">

  <constructor-arg>
    <value>
    <![CDATA[
      logger = Java.type( "org.slf4j.LoggerFactory" ).getLogger( "checkSecondFactor" );

      // Check if second factor is necessary for request to be satisfied.
      authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
      mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");

      if (mfaCtx.isAcceptable()) {
        logger.info("mfaCtx.isAcceptable() == true; nextflow = null");
        nextflow = null
      } else {
        logger.info("mfaCtx.isAcceptable() == false; nextflow = authn/fudiscr");
        nextflow = "authn/fudiscr";   // pass control to second factor or end with the first
      }

      nextflow;
    ]]>
    </value>
  </constructor-arg>
</bean>
```

When i login to a nonMFA service for the first time everything is OK, i am asked for password-auth and all attributes are transmitted to the service.
When i afterwards login to a MFA-forced service the previous password-auth is reused, I am asked for the otp auth and on success all attributes are transmitted to the service.

When I login to a MFA-forced service for the first time everything is OK, i am asked for password-auth and otp-auth and all attributes are transmitted to the service.
When i afterwards login to a nonMFA service the previous password-auth is reused, but no attributes are transmitted to the service.

The same happens, when i remove the session in the MFA-forced service so that i have to login again: neither asking for password, nor for otp, no attributes are transmitted to the service, authorization fails.

This is, what i get in the idp-process.log:
```
...
INFO [checkSecondFactor:10] - mfaCtx.isAcceptable() == true; nextflow = null
ERROR [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:78] - Profile Action
SelectSubjectCanonicalizationFlow: No potential flows left to choose from, canonicalization will fail
INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:142] - Profile Action SelectAuthenticationFlow: Moving
incomplete flow authn/MFA to intermediate set
INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:316] - Profile Action SelectAuthenticationFlow: No
potential flows left to choose from, authentication failed
INFO [Shibboleth-Audit.SSO:283] - 172.17.5.53|2022-04-12T09:53:55.529622Z|2022-04-
12T09:53:55.689067Z||https://mfa.example.com/shibboleth|||||||false|false||Redirect|POST||Requester|urn:oasis:names:tc:SAML:2.0:status:AuthnFailed|ebdf1477efcc0e1acab1bf72aa5f47205a17f136228551a3f607d96c4def60aa|Mozilla/5.0
(X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
```

Even for MFA-forced service the `mfaCtx.isAcceptable()` function returns `true` on reuse-flow. Should that not always be
false?

What am I missing here?

Thanks in advance for your help.

cheers
-- 
Ulf Seltmann
System-Administrator

Hochschule für Musik und Theater Leipzig
IT-Dienste
Grassistraße 8 | 04107 Leipzig
Tel.: +49 341 2144 681
ulf.seltmann at hmt-leipzig.de | www.hmt-leipzig.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6570 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20220414/e776a9dd/attachment.p7s>

More information about the users mailing list