Date: Thu, 28 Mar 2024 10:26:35 +0000 (UTC) Message-ID: <549628389.6095.1711621595258@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6094_1251234027.1711621595256" ------=_Part_6094_1251234027.1711621595256 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The goal of the needed Shibb IdP conf= ig mentioned below can be simply stated as this:
"If the IdP receives a SAML authentic= ation request with 'https://refeds.org/profile/mfa' set as the only au= thenticationContextClassRef, then it MUST force the user to login with MFA.= Optionally, if the IdP receives 'https://refeds.org/profile/mfa' in a li= st of multiple allowed authentication contexts, it MAY ask the user if they= would like to authenticate with MFA."
The InCommon Cert Service SSO/MFA flo= w works like this:
User clicks federated logi= n link (the link will be provided in the invitation email).
User selects IdP from disc= overy service
IdP receives SAML authenti= cationRequest with 'Password', 'Pass= wordProtectedTransport', 'http://id.incommon= .org/assurance/base-level', and 'https://refeds.org/p= rofile/mfa' set as the allowed/requested SAML authenticati= onContextClassRef values.
IdP optionally asks user i= f they want to use MFA authentication
SP/app receives SAML asser= tion with user's ePPN.
SP/app looks up user's inv= itation and determines if the user is an RAO.
If the user is an RAO, the= n the SAML authenticationContextClassRef in the received assertion is check= ed.
If the RAO user did not au= thenticate with MFA, they are sent back to the IdP with only 'https://refeds.org/pr= ofile/mfa' set as the allowed/requested SAML authenticationContextClass= (since the user was identified as an RAO). Otherwise, the user is a = DRAO and they are logged in.
https://cert-manager.com/shibboleth
Both eppn an= d email address are required.
EduPersonPrincipalName [epp= n] (SAML: urn:oid:1.3.6.1.4.1.5923.1.1.1.6)
= li>Email address [mail] = (SAML: urn:oid:0.9.2342.19200300.100.1.3)
First and last name are optional.
First name [givenName] &nbs= p;(SAML: urn:oid:2.5.4.42)
Last name [sn] (SAML:= urn:oid:2.5.4.4)
For the initial invitation, t= he email address asserted by the IdP must match the email address in the in= vited user=E2=80=99s CCM profile. At that point, the user=E2=80=99s e= ppn is stored in their CCM profile.
Thereafter, only a match on e= ppn is required to bind the user to their CCM profile.
The user=E2=80=99s eppn can b= e edited directly in CCM.
After the initial login, valu= es for email address, first name, and last name received from the IdP will = be used to update the related values in the user=E2=80=99s CCM profile
InCommon staff will need to onboard RAOs by sending an invit= ation email from CCM. Once an institution's IdP is ready, an RAO shou= ld send an email to pcaskey@internet2.edu and request such onboarding.
The initial login matches the asserted email address to the = email address stored in the CCM user profile.
At that point, the asserted eppn is added to the "IdP User I= D" field in the CCM user profile.
All future logins will use asserted values for first/last na= me and email address to update the respective fields in the CCM user profil= e.
RAOs can then onboard their DRAOs using the same invitation =
function (or by manually entering their eppn in CCM). =E2=86=
=90 NOTE: Due to a default permissions issue, this will not be functional u=
ntil 9/13/17.
Once logged into CCM, here=E2=80=99s = how to onboard existing RAOs/DRAOs in your org:
https://spaces.at.inte= rnet2.edu/pages/viewpage.action?pageId=3D115180856 = (temporarily restricted, awaiting dev fix on 9/13/17)
You can bypass the discovery service (for example, if your IdP use= s the 'Hide From Discovery' entity tag) using a URL like this (substitute y= our IdP's entityID where indicated):
https://cert-manager.com/Shibboleth.sso/Login= ?target=3Dhttps://cert-manager.com/customer/InCommon/idp&entityID=3D<your IdP's entityID>&authnContextClassRef= =3DPassword%20PasswordProtectedTransp= ort%20http://id.incommon.org/assurance/base-level%20https://refeds.org/prof= ile/mfa
Change in general-authn.xml: -- Add new 2fa supported principal to both authn/Duo, and authn/MFA -- <bean parent=3D"shibboleth.SAML2AuthnContextClassRef" c:classRef=3D"http= s://refeds.org/profile/mfa" /> ...and then just add a release rule to attribute-filter.xml: <afp:AttributeFilterPolicy id=3D"Incommon_Certmanager"> =20 <afp:PolicyRequirementRule xsi:type=3D"basic:AttributeRequesterString"= value=3D"https://cert-manager.com/shibboleth" /> <afp:AttributeRule attributeID=3D"email"> <afp:PermitValueRule xsi:type=3D"basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID=3D"givenName"> <afp:PermitValueRule xsi:type=3D"basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID=3D"surname"> <afp:PermitValueRule xsi:type=3D"basic:ANY" /> </afp:AttributeRule> =20 <afp:AttributeRule attributeID=3D"eduPersonPrincipalName"> <afp:PermitValueRule xsi:type=3D"basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy>
<!-- in general-authn.xml --> <bean id=3D"authn/Duo" parent=3D"shibboleth.AuthenticationFlow" =09p:forcedAuthenticationSupported=3D"true" =09p:nonBrowserSupported=3D"false"> <property name=3D"supportedPrincipals"> <list> <bean parent=3D"shibboleth.SAML2AuthnContextClassRef" c:classRef= =3D"https://refeds.org/profile/mfa" /> <bean parent=3D"shibboleth.SAML1AuthenticationMethod" c:method=3D"= https://refeds.org/profile/mfa" /> </list> </property> </bean> <bean id=3D"authn/MFA" parent=3D"shibboleth.AuthenticationFlow" =09p:passiveAuthenticationSupported=3D"true" =09p:forcedAuthenticationSupported=3D"true"> <property name=3D"supportedPrincipals"> =20 <list> <bean parent=3D"shibboleth.SAML2AuthnContextClassRef" c:classRef= =3D"urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" /> <bean parent=3D"shibboleth.SAML2AuthnContextClassRef" c:classRef= =3D"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />= ; <bean parent=3D"shibboleth.SAML2AuthnContextClassRef" c:classRef= =3D"urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> <bean parent=3D"shibboleth.SAML1AuthenticationMethod" c:method=3D"= urn:oasis:names:tc:SAML:1.0:am:password" /> <bean parent=3D"shibboleth.SAML2AuthnContextClassRef" c:classRef= =3D"https://refeds.org/profile/mfa" /> <bean parent=3D"shibboleth.SAML1AuthenticationMethod" c:method=3D"= https://refeds.org/profile/mfa" /> =20 </list> </property> </bean> <util:map id=3D"shibboleth.AuthenticationPrincipalWeightMap"> <entry> =20 <key> <bean parent=3D"shibboleth.SAML2AuthnContextClassRef" c:classRef= =3D"https://refeds.org/profile/mfa" /> =20 </key> <value>2</value> </entry> <entry> =20 <key> <bean parent=3D"shibboleth.SAML2AuthnContextClassRef" c:classRef= =3D"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />= ; =20 </key> <value>1</value> </entry> </util:map> <!-- in idp.properties --> idp.authn.flows=3DMFA