...
No Format |
---|
<util:map id="shibboleth.authn.MFA.TransitionMap"> <entry key=""> <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="firstFactor" /> </entry> <entry key="authn/RemoteUser"> <bean parent="shibboleth.authn.MFA.Transition"> <property name="nextFlowStrategyMap"> <map> <entry key="ReselectFlow" value="authn/Password" /> <entry key="proceed" value="authn/storage" /> </map> </property> </bean> </entry> <entry key="authn/SPNEGO"> <bean parent="shibboleth.authn.MFA.Transition"> <property name="nextFlowStrategyMap"> <map> <entry key="ReselectFlow" value="authn/Password" /> <entry key="proceed" value="auth/storage" /> </map> </property> </bean> </entry> <entry key="authn/Password"> <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/storage" /> </entry> <entry key="authn/storage"> <bean parent="shibboleth.authn.MFA.Transition"> <property name="nextFlowStrategyMap"> <map> <!-- If we do not have a storage event we perform second factor --> <entry key="ReselectFlow" value-ref="secondFactor" /> </map> </property> </bean> </entry> <entry key="authn/SocialUserOpenIDConnect"> <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/store" /> </entry> </util:map> <util:map id="customObjectsForMFAFlow"> <entry key="SPNEGOActivationCondition" value-ref="shibboleth.SPNEGO.ActivationCondition" /> <entry key="X509ActivationCondition" value-ref="shibboleth.X509.ActivationCondition" /> </util:map> <bean id="firstFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript" p:customObject-ref="customObjectsForMFAFlow"> <constructor-arg> <value> <![CDATA[ logger = Java.type( "org.slf4j.LoggerFactory" ).getLogger( "firstFactor" ); nextFlow = "authn/Password"; isX509Activated = custom.get( "X509ActivationCondition" ).apply( input ); isSPNEGOActivated = custom.get( "SPNEGOActivationCondition" ).apply( input ); if ( isX509Activated ) { logger.debug( "Selected first factor: X509" ); nextFlow = "authn/RemoteUser"; } else if ( isSPNEGOActivated ) { logger.debug( "Selected first factor: SPNEGO" ); nextFlow = "authn/SPNEGO"; } else { logger.debug( "Selected first factor: Password" ); } nextFlow; ]]> </value> </constructor-arg> </bean> <bean id="secondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript" p:customObject-ref="shibboleth.AttributeResolverService"> <constructor-arg> <value> <![CDATA[ nextFlow = "authn/store"; logger = Java.type( "org.slf4j.LoggerFactory" ).getLogger( "secondFactor" ); authCtx = input.getSubcontext( "net.shibboleth.idp.authn.context.AuthenticationContext" ); mfaCtx = authCtx.getSubcontext( "net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext" ); if ( mfaCtx.isAcceptable() ) { logger.debug( 'Second factor auth does not need to run' ); } else { logger.debug( "Second factor auth needs to run" ); nextFlow = "authn/SocialUserOpenIDConnect"; usernameLookupStrategyClass = Java.type( "net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy" ); usernameLookupStrategy = new usernameLookupStrategyClass(); resCtx = input.getSubcontext( "net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true ); resCtx.setPrincipal( usernameLookupStrategy.apply( input ) ); resCtx.getRequestedIdPAttributeNames().add( "stepupUID" ); resCtx.getRequestedIdPAttributeNames().add( "stepupEPPN" ); resCtx.getRequestedIdPAttributeNames().add( "stepupMobile" ); resCtx.resolveAttributes( custom ); // Pass the resolved attributes to context suCtx = authCtx.getSubcontext( "fi.okm.mpass.idp.authn.impl.SocialUserOpenIdConnectContext", true ); suCtx.setResolvedIdPAttributes( resCtx.getResolvedIdPAttributes() ); input.removeSubcontext( resCtx ); } nextFlow; ]]> </value> </constructor-arg> </bean> |
SimpleSAMLphp in Proxy mode
There is a need to patch the SimpleSAMLphp in order to pass the authnContextClassRef from the SP behind the proxy to the upper IdP: https://github.com/simplesamlphp/simplesamlphp/pull/833. The patch has been tested with ELIXIR AAI. Test can be done at https://perun.elixir-czech.cz/refeds-af-demo/.