...
https://spaces.at.internet2.edu/pages/viewpage.action?pageId=115180856 (temporarily restricted, awaiting dev fix on 9/13/17)
Bypassing the Discovery Service
You can bypass the discovery service (for example, if your IdP uses the 'Hide From Discovery' entity tag) using a URL like this (substitute your IdP's entityID where indicated):
https://cert-manager.com/Shibboleth.sso/Login?target=https://cert-manager.com/customer/InCommon/idp&entityID=<your IdP's entityID>&authnContextClassRef=Password%20PasswordProtectedTransport%20http://id.incommon.org/assurance/base-level%20https://refeds.org/profile/mfa
Config Contributions
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
Change in general-authn.xml: -- Add new 2fa supported principal to both authn/Duo, and authn/MFA -- <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/mfa" /> ...and then just add a release rule to attribute-filter.xml: <afp:AttributeFilterPolicy id="Incommon_Certmanager"> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://cert-manager.com/shibboleth" /> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy> |
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<!-- in general-authn.xml --> <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow" p:forcedAuthenticationSupported="true" p:nonBrowserSupported="false"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/mfa" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="https://refeds.org/profile/mfa" /> </list> </property> </bean> <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow" p:passiveAuthenticationSupported="true" p:forcedAuthenticationSupported="true"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/mfa" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="https://refeds.org/profile/mfa" /> </list> </property> </bean> <util:map id="shibboleth.AuthenticationPrincipalWeightMap"> <entry> <key> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/mfa" /> </key> <value>2</value> </entry> <entry> <key> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> </key> <value>1</value> </entry> </util:map> <!-- in idp.properties --> idp.authn.flows=MFA |
...