Metadata Attributes for MFA retrieval in mfa-authn-config.xml script

Lipscomb, Gary glipscomb at csu.edu.au
Fri Jun 23 05:46:23 UTC 2023


Hi all,

IdP 4.3.1

I’m trying to move to using metadata attributes to control which SP’s require MFA instead of currently hard coding in mfa-authn-config.xml

The following are the 2 attributes that I’m using and the MFA flow works for both.

       <saml:Attribute Name=http://shibboleth.net/ns/profiles/defaultAuthenticationMethods
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <saml:AttributeValue>https://csu.edu.au/MFA_Required_ALL</saml:AttributeValue>
        </saml:Attribute>

      <saml:Attribute Name=http://shibboleth.net/ns/profiles/defaultAuthenticationMethods
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>https://csu.edu.au/MFA_Required_StaffOnly</saml:AttributeValue>
      </saml:Attribute>


What I need to do is determine which value is passed into the MFA process and then test the users group membership for the StaffOnly value.
The group membership test is working.
We have some sites where staff require MFA but students don’t.

I’m unable to work out what I need to query to return the value “https://csu.edu.au/MFA_Required_StaffOnly”
I've tried
           authnRequestedPrincipalContext = Java.type("net.shibboleth.idp.authn.context.RequestedPrincipalContext");
but its not returning the values that I need.


My Javadoc foo is very basic basic .

Can someone point me in the right direction.

Regards

Gary



Gary Lipscomb
Technical Officer, Systems
IT Infrastructure & Security | Division of Information Technology

Charles Sturt University, Bathurst, NSW 2795
Ph: 02 6338 6533
Email: glipscomb at csu.edu.au
csu.edu.au



|   ALBURY-WODONGA   |   BATHURST    |   CANBERRA   |   DUBBO   |   GOULBURN   |   ORANGE   |   PARRAMATTA    |   PORT MACQUARIE   |   WAGGA WAGGA   |

LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with Charles Sturt University may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at Charles Sturt University. The views expressed in this email are not necessarily those of Charles Sturt University.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551). Charles Sturt University - TEQSA Provider Identification: PRV12018 (Australian University). CRICOS Provider: 00005F.
Consider the environment before printing this email.


More information about the users mailing list