spaces.internet2.edu has been upgraded to Confluence 6.5.0. If you have any questions and/or concerns, please contact us at websupport@internet2.edu
Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagexml
titleFor IdP 3.3.x
collapsetrue
Change in general-authn.xml:
-- Add new 2fa supported principal to both authn/Duo, and authn/MFA --
<bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/mfa" />

...and then just add a release rule to attribute-filter.xml:
<afp:AttributeFilterPolicy id="Incommon_Certmanager">     
  <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://cert-manager.com/shibboleth" />
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>       
  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>
Code Block
languagexml
titleAnother 3.3.x contribution
collapsetrue
<bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
	p:forcedAuthenticationSupported="true"
	p:nonBrowserSupported="false">
  <property name="supportedPrincipals">
    <list>
      <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/mfa" />
      <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="https://refeds.org/profile/mfa" />
    </list>
  </property>
</bean>
<bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
	p:passiveAuthenticationSupported="true"
	p:forcedAuthenticationSupported="true">
  <property name="supportedPrincipals">         
    <list>
      <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
      <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
      <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
      <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
      <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/mfa" />
      <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="https://refeds.org/profile/mfa" />        
    </list>
  </property>
</bean>
<util:map id="shibboleth.AuthenticationPrincipalWeightMap">
  <entry>      
    <key>
      <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/mfa" />     
    </key>
    <value>2</value>
  </entry>
  <entry>      
    <key>
      <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />     
    </key>
    <value>1</value>
  </entry>
</util:map>