SPs to test IdP attribute release and returned authentication context:
- CIlogon: https://test.cilogon.org/testidp
- ELIXIR: https://perun.elixir-czech.cz/refeds-af-demo/ (select "Add new institution" from the bottom of the page to give a try with any eduGAIN IdP)
Configuration examples
The below config seems to be working swimmingly for me.
- If the SP doesn't ask for a specific aCC ref the IdP will choose the authentication method
- If mfa session is valid for any reason aCC ref = mfa is returned unless something else is requested
- IdP respects any aCC ref that is requested by executing that auth method and returning the appropriate aCC ref
There is a caveat and it is that most of the time the IdP will return a aCC ref that is not a part of the SAML2 spec: "https://refeds.org/profile/sfa" or "https://refeds.org/profile/mfa". This shouldn't be that big of a deal I think because if the SP cares about the aCC ref it should ask for something specific.
conf/idp.properties:
idp.authn.flows= SPNEGO|RemoteUser|Password|MFA
conf/authn/general-authn.xml:
<util:list id="shibboleth.AvailableAuthenticationFlows">
<bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false"
p:activationCondition-ref="shibboleth.SPNEGO.ActivationCondition">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/sfa" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" />
</list>
</property>
</bean>
<bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false"
p:activationCondition-ref="shibboleth.X509.ActivationCondition">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/sfa" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
</list>
</property>
</bean>
<bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/sfa" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
</list>
</property>
</bean>
<bean id="authn/SocialUserOpenIDConnect" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false" p:forcedAuthenticationSupported="true">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/mfa" />
</list>
</property>
</bean>
<bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="false"
p:forcedAuthenticationSupported="true">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/mfa" />
</list>
</property>
</bean>
</util:list>
<util:map id="shibboleth.AuthenticationPrincipalWeightMap">
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/mfa" />
</key>
<value>3</value>
</entry>
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/sfa" />
</key>
<value>2</value>
</entry>
</util:map>