Shibboleth 4.2.x and ADFS/Azure

Matthew Slowe matthew.slowe at jisc.ac.uk
Fri Oct 21 07:26:27 UTC 2022


On 20/10/2022 14:30, Mårtensson, Roger via users wrote:
> Hej!
> 
> I’m am trying to implement REFEDS MFA using Shibboleth IDP v4.2 using 
> this url. (Shibboleth IDP SAML proxy to an ADFS  with MFA support)
> 
> https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1467056889/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD <https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1467056889/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD>
> 
> After some tweeking to get it working with our ADFS service I got it to 
> work.. almost.
> 
> I can login in, get the required MFA-input. The problems start after 
> successfully logged in.
> 
> It’s nothing new and I’ve found many references to it on the Web. ADFS 
> (and Azure) do not return the correct strings in the AuthnContext. It is 
> returned in a as an attribute(claim).

It (Azure AD IdP) seems to _always_ return the authn methods in an 
attribute (claim):

<Attribute 
Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
 
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
 
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
</Attribute>

but will only return the multipleauthn value as the (single valued?) 
AuthnContextClassRef when it's been specifically requested by the 
[proxying IDP] SP.

The note at the end of the howto will map the incoming REFEDS request 
and the outgoing response to/from "multipleauthn". Have you done both 
PrincipalProxyRequestMappings and PrincipalProxyResponseMappings parts 
and definitely enabled SAML2AuthnContextClassRef in the 
supportedPrincipals property? If so, is the REFEDS MFA profile 
definitely being requested by the target SP?

... or are you hoping to _always_ return the MFA AuthnContextClassRef if 
that's what was used upstream regardless of what the SP asked for?

We've occasionally seen issues where the user has a pre-existing session 
at the Azure IdP with some other (Kerberos based, I think) authn method 
- the Azure IdP sometimes refuses to respond moaning about incompatible 
methods.

Hope that helps,
-- 
Matthew Slowe [he/him] (GPG: 0x6BE0CF7D04600314)
Senior Technical Consultant and Support specialist, Jisc
Team: 01235 822185
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4228 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20221021/c9e48e52/attachment.p7s>


More information about the users mailing list