DUO MFA Trigger on Attributes

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

DUO MFA Trigger on Attributes

Lionel Samuel
Hello:

Is it possible for DUO MFA to trigger on differing attribute values based on the SP being accessed?

Say:

SP BAR
Trigger MFA on user if has 'memberOf' attribute 'ou=employee'

SP FOO
Trigger MFA on user if has 'memberOf' attribute 'ou=IT-faculty'


If above is possible, are there any examples that can be shared?

I know how to trigger if common attribute value as the trigger, based on the example shipped, but not if differing values per SP as the trigger.

Thanks.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: DUO MFA Trigger on Attributes

Losen, Stephen C. (scl)-2

Hi Lionel,

 

Yes you can do this.  Read the wiki document that covers MFA configuration.

 

https://wiki.shibboleth.net/confluence/display/IDP30/MultiFactorAuthnConfiguration

 

In particular, look at the example script entitled “Conditional use of two factors, Flow1 and Flow2.”

 

You say you already know how to resolve the attributes, and the example script also demonstrates attribute resolution.

 

The example does not show how to obtain the SP entityID (which you also need) but that is pretty easy:

 

rpCtx = input.getSubcontext(“net.shibboleth.idp.profile.context.RelyingPartyContext”);

rpid = rpCtx.getRelyingPartyId();    // rpid is type String containing SP entityID

 

Now you can script whatever logical test you want based on attribute values and the entityID.

 

Stephen C. Losen

ITS - Systems and Storage

University of Virginia

[hidden email]    434-924-0640

 

From: users [mailto:[hidden email]] On Behalf Of Lionel Samuel
Sent: Friday, June 29, 2018 11:48 PM
To: Shib Users <[hidden email]>
Subject: DUO MFA Trigger on Attributes

 

Hello:

 

Is it possible for DUO MFA to trigger on differing attribute values based on the SP being accessed?

 

Say:

 

SP BAR

Trigger MFA on user if has 'memberOf' attribute 'ou=employee'

 

SP FOO

Trigger MFA on user if has 'memberOf' attribute 'ou=IT-faculty'

 

 

If above is possible, are there any examples that can be shared?

 

I know how to trigger if common attribute value as the trigger, based on the example shipped, but not if differing values per SP as the trigger.

 

Thanks.

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]