Versions Compared

Old Version 9

changes.mady.by.user Timo Tunturi

Saved on

compared with

New Version Current

changes.mady.by.user Michal Procházka

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

No Format
    <util:map id="shibboleth.authn.MFA.TransitionMap">
        <entry key="">
            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="firstFactor" />
        </entry>

        <entry key="authn/RemoteUser">
            <bean parent="shibboleth.authn.MFA.Transition">
                <property name="nextFlowStrategyMap">
                    <map>
                        <entry key="ReselectFlow" value="authn/Password" />
                        <entry key="proceed" value="authn/storage" />
                    </map>
                </property>
            </bean>
        </entry>

        <entry key="authn/SPNEGO">
            <bean parent="shibboleth.authn.MFA.Transition">
                <property name="nextFlowStrategyMap">
                    <map>
                        <entry key="ReselectFlow" value="authn/Password" />
                        <entry key="proceed" value="auth/storage" />
                    </map>
                </property>
            </bean>
        </entry>

        <entry key="authn/Password">
            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/storage" />
        </entry>

        <entry key="authn/storage">
            <bean parent="shibboleth.authn.MFA.Transition">
                <property name="nextFlowStrategyMap">
                    <map>
                        <!-- If we do not have a storage event we perform second factor -->
                        <entry key="ReselectFlow" value-ref="secondFactor" />
                    </map>
                </property>
            </bean>
        </entry>

        <entry key="authn/SocialUserOpenIDConnect">
            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/store" />
        </entry>

    </util:map>

    <util:map id="customObjectsForMFAFlow">
        <entry key="SPNEGOActivationCondition" value-ref="shibboleth.SPNEGO.ActivationCondition" />
        <entry key="X509ActivationCondition" value-ref="shibboleth.X509.ActivationCondition" /> 
    </util:map>

    <bean id="firstFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
          p:customObject-ref="customObjectsForMFAFlow">
        <constructor-arg>
            <value>
                <![CDATA[
                logger = Java.type( "org.slf4j.LoggerFactory" ).getLogger( "firstFactor" );
                nextFlow = "authn/Password";

                isX509Activated = custom.get( "X509ActivationCondition" ).apply( input );
                isSPNEGOActivated = custom.get( "SPNEGOActivationCondition" ).apply( input );

                if ( isX509Activated ) {
                    logger.debug( "Selected first factor: X509" );
                    nextFlow = "authn/RemoteUser";
                } else if ( isSPNEGOActivated ) {
                    logger.debug( "Selected first factor: SPNEGO" );
                    nextFlow = "authn/SPNEGO";
                } else {
                    logger.debug( "Selected first factor: Password" );
                }

                nextFlow;
                ]]>
            </value>
        </constructor-arg>
    </bean>

    <bean id="secondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
          p:customObject-ref="shibboleth.AttributeResolverService">
        <constructor-arg>
            <value>
                <![CDATA[
                nextFlow = "authn/store";
                logger = Java.type( "org.slf4j.LoggerFactory" ).getLogger( "secondFactor" );

                authCtx = input.getSubcontext( "net.shibboleth.idp.authn.context.AuthenticationContext" );
                mfaCtx = authCtx.getSubcontext( "net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext" );
                if ( mfaCtx.isAcceptable() ) {
                    logger.debug( 'Second factor auth does not need to run' );
                } else {
                    logger.debug( "Second factor auth needs to run" );
                    nextFlow = "authn/SocialUserOpenIDConnect";

                    usernameLookupStrategyClass = Java.type( "net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy" );
                    usernameLookupStrategy = new usernameLookupStrategyClass();
                    resCtx = input.getSubcontext( "net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true );
                    resCtx.setPrincipal( usernameLookupStrategy.apply( input ) );
                    resCtx.getRequestedIdPAttributeNames().add( "stepupUID" );
                    resCtx.getRequestedIdPAttributeNames().add( "stepupEPPN" );
                    resCtx.getRequestedIdPAttributeNames().add( "stepupMobile" );
                    resCtx.resolveAttributes( custom );

                    // Pass the resolved attributes to context
                    suCtx = authCtx.getSubcontext( "fi.okm.mpass.idp.authn.impl.SocialUserOpenIdConnectContext", true );
                    suCtx.setResolvedIdPAttributes( resCtx.getResolvedIdPAttributes() );
                    input.removeSubcontext( resCtx );
                }

                nextFlow;
                ]]>
            </value>
        </constructor-arg>
    </bean>


SimpleSAMLphp in Proxy mode

There is a need to patch the SimpleSAMLphp in order to pass the authnContextClassRef from the SP behind the proxy to the upper IdP: https://github.com/simplesamlphp/simplesamlphp/pull/833. The patch has been tested with ELIXIR AAI. Test can be done at https://perun.elixir-czech.cz/refeds-af-demo/.