...
| No Format |
|---|
<util:map id="shibboleth.authn.MFA.TransitionMap">
<entry key="">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="firstFactor" />
</entry>
<entry key="authn/RemoteUser">
<bean parent="shibboleth.authn.MFA.Transition">
<property name="nextFlowStrategyMap">
<map>
<entry key="ReselectFlow" value="authn/Password" />
<entry key="proceed" value="authn/storage" />
</map>
</property>
</bean>
</entry>
<entry key="authn/SPNEGO">
<bean parent="shibboleth.authn.MFA.Transition">
<property name="nextFlowStrategyMap">
<map>
<entry key="ReselectFlow" value="authn/Password" />
<entry key="proceed" value="auth/storage" />
</map>
</property>
</bean>
</entry>
<entry key="authn/Password">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/storage" />
</entry>
<entry key="authn/storage">
<bean parent="shibboleth.authn.MFA.Transition">
<property name="nextFlowStrategyMap">
<map>
<!-- If we do not have a storage event we perform second factor -->
<entry key="ReselectFlow" value-ref="secondFactor" />
</map>
</property>
</bean>
</entry>
<entry key="authn/SocialUserOpenIDConnect">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/store" />
</entry>
</util:map>
<util:map id="customObjectsForMFAFlow">
<entry key="SPNEGOActivationCondition" value-ref="shibboleth.SPNEGO.ActivationCondition" />
<entry key="X509ActivationCondition" value-ref="shibboleth.X509.ActivationCondition" />
</util:map>
<bean id="firstFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
p:customObject-ref="customObjectsForMFAFlow">
<constructor-arg>
<value>
<![CDATA[
logger = Java.type( "org.slf4j.LoggerFactory" ).getLogger( "firstFactor" );
nextFlow = "authn/Password";
isX509Activated = custom.get( "X509ActivationCondition" ).apply( input );
isSPNEGOActivated = custom.get( "SPNEGOActivationCondition" ).apply( input );
if ( isX509Activated ) {
logger.debug( "Selected first factor: X509" );
nextFlow = "authn/RemoteUser";
} else if ( isSPNEGOActivated ) {
logger.debug( "Selected first factor: SPNEGO" );
nextFlow = "authn/SPNEGO";
} else {
logger.debug( "Selected first factor: Password" );
}
nextFlow;
]]>
</value>
</constructor-arg>
</bean>
<bean id="secondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
p:customObject-ref="shibboleth.AttributeResolverService">
<constructor-arg>
<value>
<![CDATA[
nextFlow = "authn/store";
logger = Java.type( "org.slf4j.LoggerFactory" ).getLogger( "secondFactor" );
authCtx = input.getSubcontext( "net.shibboleth.idp.authn.context.AuthenticationContext" );
mfaCtx = authCtx.getSubcontext( "net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext" );
if ( mfaCtx.isAcceptable() ) {
logger.debug( 'Second factor auth does not need to run' );
} else {
logger.debug( "Second factor auth needs to run" );
nextFlow = "authn/SocialUserOpenIDConnect";
usernameLookupStrategyClass = Java.type( "net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy" );
usernameLookupStrategy = new usernameLookupStrategyClass();
resCtx = input.getSubcontext( "net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true );
resCtx.setPrincipal( usernameLookupStrategy.apply( input ) );
resCtx.getRequestedIdPAttributeNames().add( "stepupUID" );
resCtx.getRequestedIdPAttributeNames().add( "stepupEPPN" );
resCtx.getRequestedIdPAttributeNames().add( "stepupMobile" );
resCtx.resolveAttributes( custom );
// Pass the resolved attributes to context
suCtx = authCtx.getSubcontext( "fi.okm.mpass.idp.authn.impl.SocialUserOpenIdConnectContext", true );
suCtx.setResolvedIdPAttributes( resCtx.getResolvedIdPAttributes() );
input.removeSubcontext( resCtx );
}
nextFlow;
]]>
</value>
</constructor-arg>
</bean> |
SimpleSAMLphp in Proxy mode
There is a need to patch the SimpleSAMLphp in order to pass the authnContextClassRef from the SP behind the proxy to the upper IdP: https://github.com/simplesamlphp/simplesamlphp/pull/833. The patch has been tested with ELIXIR AAI. Test can be done at https://perun.elixir-czech.cz/refeds-af-demo/.