Versions Compared

Old Version 3

changes.mady.by.user Paul Caskey (internet2.edu)

Saved on

compared with

New Version 4

changes.mady.by.user Paul Caskey (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

The goal of the needed Shibb IdP config mentioned below can be simply stated as this:

...

  1. User clicks federated login link.

  2. User selects IdP from discovery service

  3. IdP receives SAML authenticationRequest with 'Password', 'PasswordProtectedTransport', 'http://id.incommon.org/assurance/base-level', and 'https://refeds.org/profile/mfa' set as the allowed/requested SAML authenticationContextClassRef values.

  4. IdP optionally asks user if they want to use MFA authentication

  5. SP/app receives SAML assertion with user's ePPN.

  6. SP/app looks up user's invitation and determines if the user is an RAO.

  7. If the user is an RAO, then the SAML authenticationContextClassRef in the received assertion is checked.

  8. If the RAO user did not authenticate with MFA, they are sent back to the IdP with only 'https://refeds.org/profile/mfa' set as the allowed/requested SAML authenticationContextClass (since the user was identified as an RAO).  Otherwise, the user is a DRAO and they are logged in.


Comodo Certificate Manager (CCM) SAML SP entityID

 https://cert-manager.com/shibboleth


Required Attributes

  • Both eppn and email address are required.  

    • EduPersonPrincipalName [eppn]  (SAML: urn:oid:1.3.6.1.4.1.5923.1.1.1.6)

    • Email address [mail]  (SAML: urn:oid:0.9.2342.19200300.100.1.3)  

  • First and last name are optional.

    • First name [givenName]  (SAML: urn:oid:2.5.4.42)

    • Last name [sn]  (SAML: urn:oid:2.5.4.4)

  • For the initial invitation, the email address asserted by the IdP must match the email address in the invited user’s CCM profile.  At that point, the user’s eppn is stored in their CCM profile.

  • Thereafter, only a match on eppn is required to bind the user to their CCM profile.

  • The user’s eppn can be edited directly in CCM.

  • After the initial login, values for email address, first name, and last name received from the IdP will be used to update the related values in the user’s CCM profile



Onboarding Existing Users

Once logged into CCM, here’s how to onboard existing RAOs/DRAOs in your org:

https://spaces.at.internet2.edu/pages/viewpage.action?pageId=115180856


Config Contributions

Code Block
languagexml
titleFor IdP 3.3.x
collapsetrue
Change in general-authn.xml:
-- Add new 2fa supported principal to both authn/Duo, and authn/MFA --
<bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/mfa" />

...and then just add a release rule to attribute-filter.xml:
<afp:AttributeFilterPolicy id="Incommon_Certmanager">     
  <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://cert-manager.com/shibboleth" />
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>       
  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

...