Any recommendations/validation of a scheme to select a SAML Proxy or Password/MFA authentication flow based on relying party / SP entityID?

Wessel, Keith kwessel at illinois.edu
Fri Jan 14 15:58:41 UTC 2022 

Why can't you make a "check first factor" script that the MFA flow calls first, then have that script check the relying party ID and return the flow where you want ti to go? Much easier than creating a custom flow.

Keith


From: users <users-bounces at shibboleth.net> On Behalf Of Mak, David
Sent: Friday, January 14, 2022 9:56 AM
To: users at shibboleth.net
Subject: Any recommendations/validation of a scheme to select a SAML Proxy or Password/MFA authentication flow based on relying party / SP entityID?

I've configured SAML Proxy in both IDP 4.0.1 and 4.1.4 in our dev environments, in preparation for some architectural changes within our authentication architecture.

We have a need to select an authentication flow based on the entityID of the service provider's/relying parties' SAML request. It will default to SAML Proxy unless the SP/RP is in a smaller list, in which case we want to use the default MFA authN flow we have which uses the Password and Duo MFA methods.

As I see it, I will need to create a custom authN flow that checks the entityID for a match to that list, then continue with either the SAML Proxy or the MFA flows as needed.

I need to read up on the Spring web flow stuff more, but on first glance, I'm having trouble determining if this is possible with the design I described. It seems the only end-state is a "proceed" and I can't quite see how a custom authN flow can initiate either a SAML Proxy flow or a MFA authN flow.

Any advice would be appreciated. Thanks in advance!

David Mak (Pronouns: He/Him/His)
Identity Services Specialist
Information Technology Services
Northeastern University
360 Huntington Ave. Boston MA 02115-5000
Mail Stop: 302-216
O:617-373-7836 M:617-840-7543
d.mak at northeastern.edu<mailto:%20d.mak at neu.edu>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220114/43079bcd/attachment.htm>

More information about the users mailing list