Metadata Attributes for MFA retrieval in mfa-authn-config.xml script

Bobby Lawrence robertl at jlab.org
Fri Jun 23 13:12:27 UTC 2023 

Gary - since you are using metadata entry attributes for this, you may want to look into using a custom relying party configuration.  The software provides mechanisms for selecting a specific relying party for SPs that have certain SAML attributes in the EntityAttributes/Extensions metadata element.  Once you do this, you can set a specific authentication context on that relying party to enforce MFA. 
Something like this may work for you in relying-party.xml:

<bean id="mfaRequiredForEveryoneRelyingParty" parent="RelyingPartyByTag">
  <constructor-arg name="candidates">
    <list>
      <bean parent="TagCandidate" c:name="https://csu.edu.au/MFA_Required_ALL" />
    </list>
  </constructor-arg>
  <property name="profileConfigurations">
    <list>
      <bean parent="SAML2.SSO" p:disallowedFeatures-ref="SAML2.SSO.FEATURE_AUTHNCONTEXT">
        <property name="defaultAuthenticationMethods">
          <list>
            <value>https://refeds.org/profile/mfa</value>
          </list>
        </property>
      </bean>
    </list>
  </property>
</bean>

<bean id="mfaRequiredForStaffOnlyRelyingParty" parent="RelyingPartyByTag">
  <constructor-arg name="candidates">
    <list>
      <bean parent="TagCandidate" c:name="https://csu.edu.au/MFA_Required_StaffOnly" />
    </list>
  </constructor-arg>
  <property name="profileConfigurations">
    <list>
      <bean parent="SAML2.SSO" p:disallowedFeatures-ref="SAML2.SSO.FEATURE_AUTHNCONTEXT">
        <property name="defaultAuthenticationMethods">
          <list>
            <value>https://some.custom.authcontext.org/that_you_can_check/in/mfa-config/which_you_can_enforce/for_staff_only</value>
          </list>
        </property>
      </bean>
    </list>
  </property>
</bean>


I've also done something like what you are trying to do with specific AuthnContextClassRef's.  This was a bit trickier as it required the use of some fairly complex MFA scripting to fetch the requested principal context, pull out the specific part of it I was looking for and use that in the attribute resolution.  If you cant get things working with using the metadata attributes, you may want to look into going this route.

--Bobby



-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Lipscomb, Gary via users
Sent: Friday, June 23, 2023 1:46 AM
To: Shib Users <users at shibboleth.net>
Cc: Lipscomb, Gary <glipscomb at csu.edu.au>
Subject: [EXTERNAL] Metadata Attributes for MFA retrieval in mfa-authn-config.xml script

Hi all,

IdP 4.3.1

I’m trying to move to using metadata attributes to control which SP’s require MFA instead of currently hard coding in mfa-authn-config.xml

The following are the 2 attributes that I’m using and the MFA flow works for both.

       <saml:Attribute Name=https://urldefense.proofpoint.com/v2/url?u=http-3A__shibboleth.net_ns_profiles_defaultAuthenticationMethods&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=YbL7Tj_EqBW9abl6xEy1bs2UfpzD0fSGcxiXJeDGwtg&m=v4cz78hOSCpLXPQGhnl0kg4i7BQlyHo2klF3gRLOGO0R-Db2S1sXrsKDBd1o3pq3&s=XBc7tXzKceO-PjHfM7vlPg5lZsS9kh6KhOaWM713vRM&e= 
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <saml:AttributeValue>https://urldefense.proofpoint.com/v2/url?u=https-3A__csu.edu.au_MFA-5FRequired-5FALL&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=YbL7Tj_EqBW9abl6xEy1bs2UfpzD0fSGcxiXJeDGwtg&m=v4cz78hOSCpLXPQGhnl0kg4i7BQlyHo2klF3gRLOGO0R-Db2S1sXrsKDBd1o3pq3&s=bWbB4g8Hst-0EwuQhjdQuihVcIDklVNwgVOnDkWfsEs&e= </saml:AttributeValue>
        </saml:Attribute>

      <saml:Attribute Name=https://urldefense.proofpoint.com/v2/url?u=http-3A__shibboleth.net_ns_profiles_defaultAuthenticationMethods&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=YbL7Tj_EqBW9abl6xEy1bs2UfpzD0fSGcxiXJeDGwtg&m=v4cz78hOSCpLXPQGhnl0kg4i7BQlyHo2klF3gRLOGO0R-Db2S1sXrsKDBd1o3pq3&s=XBc7tXzKceO-PjHfM7vlPg5lZsS9kh6KhOaWM713vRM&e= 
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>https://urldefense.proofpoint.com/v2/url?u=https-3A__csu.edu.au_MFA-5FRequired-5FStaffOnly&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=YbL7Tj_EqBW9abl6xEy1bs2UfpzD0fSGcxiXJeDGwtg&m=v4cz78hOSCpLXPQGhnl0kg4i7BQlyHo2klF3gRLOGO0R-Db2S1sXrsKDBd1o3pq3&s=tOGBLLMbD6b-Tkp0miKKwSaC3xrugNSroMMcBkYmu4E&e= </saml:AttributeValue>
      </saml:Attribute>


What I need to do is determine which value is passed into the MFA process and then test the users group membership for the StaffOnly value.
The group membership test is working.
We have some sites where staff require MFA but students don’t.

I’m unable to work out what I need to query to return the value “https://urldefense.proofpoint.com/v2/url?u=https-3A__csu.edu.au_MFA-5FRequired-5FStaffOnly&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=YbL7Tj_EqBW9abl6xEy1bs2UfpzD0fSGcxiXJeDGwtg&m=v4cz78hOSCpLXPQGhnl0kg4i7BQlyHo2klF3gRLOGO0R-Db2S1sXrsKDBd1o3pq3&s=tOGBLLMbD6b-Tkp0miKKwSaC3xrugNSroMMcBkYmu4E&e= ”
I've tried
           authnRequestedPrincipalContext = Java.type("net.shibboleth.idp.authn.context.RequestedPrincipalContext");
but its not returning the values that I need.


My Javadoc foo is very basic basic .

Can someone point me in the right direction.

Regards

Gary



Gary Lipscomb
Technical Officer, Systems
IT Infrastructure & Security | Division of Information Technology

Charles Sturt University, Bathurst, NSW 2795
Ph: 02 6338 6533
Email: glipscomb at csu.edu.au
csu.edu.au



|   ALBURY-WODONGA   |   BATHURST    |   CANBERRA   |   DUBBO   |   GOULBURN   |   ORANGE   |   PARRAMATTA    |   PORT MACQUARIE   |   WAGGA WAGGA   |

LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with Charles Sturt University may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at Charles Sturt University. The views expressed in this email are not necessarily those of Charles Sturt University.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551). Charles Sturt University - TEQSA Provider Identification: PRV12018 (Australian University). CRICOS Provider: 00005F.
Consider the environment before printing this email.
-- 
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__shibboleth.atlassian.net_wiki_x_ZYEpPw&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=YbL7Tj_EqBW9abl6xEy1bs2UfpzD0fSGcxiXJeDGwtg&m=v4cz78hOSCpLXPQGhnl0kg4i7BQlyHo2klF3gRLOGO0R-Db2S1sXrsKDBd1o3pq3&s=xOxICX52DS1nbQ-M1075E7AUIMzxeZzy1fVFyu5WHAw&e= 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list