No attributes after enabling MFA flow

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

No attributes after enabling MFA flow

Paul B. Henson-2
So I went to deploy Duo MFA in production for a limited pilot group, but had to rapidly back it out after I discovered attributes were not being passed to SAML service providers 8-/. CAS protocol based services seemed to be fine, but accessing a SAML service using the MFA flow resulted in no attributes:

2018-05-16 20:02:23,498 - 20180517T030223Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_6f429c5972ac26ee63ab40e1c361c8c7|https://shib.lynda.com/shibboleth-sp|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp.cpp.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_bbeba5abde9eb665ef11148534fe4cf2|henson|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|||_ab6c54c29f3412dc20be258376caa86e|

Changing the idp.authn.flows parameter back to "Password", attributes returned:

2018-05-16 20:11:33,420 - 20180517T031133Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_85c62aff0ad5135125d2b40cc1940c8f|https://shib.lynda.com/shibboleth-sp|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp.cpp.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_0551f270209c95c535a8983cca707944|henson|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|eduPersonEntitlement,mail,eduPersonAffiliation,givenName,calstateEduPersonEmplID,sn,cn|aYcr2tew+mg5Jkun1J6L2xUCZZY=|_851178db5423ad267cc91808da667b3b|

I'm going to call it a night and revisit this in the morning, but any thoughts on what might be going on here? I don't know if it's relevant, but I'm using a custom version of 3.3.3 with IDP-1114 back ported; I'll try the stock version tomorrow and see if that makes a difference.

Thanks...

--
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  [hidden email]
California State Polytechnic University  |  Pomona CA 91768


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: No attributes after enabling MFA flow

Paul B. Henson-2
On Thu, May 17, 2018 at 03:34:42AM +0000, Paul B. Henson wrote:
> I'm going to call it a night and revisit this in the morning, but any

Hmm, well, I tried one quick thing before giving up; if I change my MFA
checkSecondFactor script to be just:

nextFlow = 'authn/Duo';
nextFlow;

attributes show up. So there must be something goofy in my more
complicated script <sigh>. I didn't think I was having this problem when
I was initially testing in dev, but after updating the MFA selection
logic to something more complicated I think I only tested with CAS
services, not SAML ones, in my dev environment.

Does anything jump out as broken in this?

// list of regular expressions for MFA strictly required service providers
mfa_sp_regexes = [
                   'https://login.calstate.edu/cfs/mfa',
                 ];

logger = Java.type('org.slf4j.LoggerFactory').getLogger('mfa-check');

authCtx = input.getSubcontext('net.shibboleth.idp.authn.context.AuthenticationContext');
mfaCtx = authCtx.getSubcontext('net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext');

nextFlow = null;

resCtx = input.getSubcontext('net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext', true);
usernameLookupStrategyClass = Java.type('net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy');
usernameLookupStrategy = new usernameLookupStrategyClass();
resCtx.setPrincipal(usernameLookupStrategy.apply(input));
resCtx.getRequestedIdPAttributeNames().add('cppEduPersonStatusFlag');
resCtx.resolveAttributes(custom);
status_flag = resCtx.getResolvedIdPAttributes().get('cppEduPersonStatusFlag');

stringType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
if (status_flag != null && status_flag.getValues().contains(new stringType('duo_activated'))) {
                        logger.info('user has Duo available');
                        nextFlow = 'authn/Duo';
}
else {
        rpid = profileContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext').getRelyingPartyId();
        logger.info('no Duo available for user');
        // 'every' returns true if the check returns true for every element, or
        //   false as soon as a check returns false. So it will return true if none
        //   of the regexps match the SP, or false as soon as one does.
        if (!mfa_sp_regexes.every(function(element)
                { re = new RegExp(element); return !re.test(rpid); })) {
                        logger.info('SP ' + rpid + ' requires MFA, failing');
                        mfaCtx.setEvent('MFAlacking');
        }
}

nextFlow;



Thanks...

--
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  [hidden email]
California State Polytechnic University  |  Pomona CA 91768
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: No attributes after enabling MFA flow

Andrew Morgan
Paul,

Did you cleanup the resCtx?  I remember Scott pointed out to me that you
have to include something like this:

   input.removeSubcontext(resCtx);   // cleanup

near the end of your MFA script.  Something about it stepping on later
attribute resolution...

In my case, I have that cleanup as the last line before I return nextflow.

Thanks,
  Andy


On Wed, 16 May 2018, Paul B. Henson wrote:

> On Thu, May 17, 2018 at 03:34:42AM +0000, Paul B. Henson wrote:
>> I'm going to call it a night and revisit this in the morning, but any
>
> Hmm, well, I tried one quick thing before giving up; if I change my MFA
> checkSecondFactor script to be just:
>
> nextFlow = 'authn/Duo';
> nextFlow;
>
> attributes show up. So there must be something goofy in my more
> complicated script <sigh>. I didn't think I was having this problem when
> I was initially testing in dev, but after updating the MFA selection
> logic to something more complicated I think I only tested with CAS
> services, not SAML ones, in my dev environment.
>
> Does anything jump out as broken in this?
>
> // list of regular expressions for MFA strictly required service providers
> mfa_sp_regexes = [
>                   'https://login.calstate.edu/cfs/mfa',
>                 ];
>
> logger = Java.type('org.slf4j.LoggerFactory').getLogger('mfa-check');
>
> authCtx = input.getSubcontext('net.shibboleth.idp.authn.context.AuthenticationContext');
> mfaCtx = authCtx.getSubcontext('net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext');
>
> nextFlow = null;
>
> resCtx = input.getSubcontext('net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext', true);
> usernameLookupStrategyClass = Java.type('net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy');
> usernameLookupStrategy = new usernameLookupStrategyClass();
> resCtx.setPrincipal(usernameLookupStrategy.apply(input));
> resCtx.getRequestedIdPAttributeNames().add('cppEduPersonStatusFlag');
> resCtx.resolveAttributes(custom);
> status_flag = resCtx.getResolvedIdPAttributes().get('cppEduPersonStatusFlag');
>
> stringType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
> if (status_flag != null && status_flag.getValues().contains(new stringType('duo_activated'))) {
>                        logger.info('user has Duo available');
>                        nextFlow = 'authn/Duo';
> }
> else {
>        rpid = profileContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext').getRelyingPartyId();
>        logger.info('no Duo available for user');
>        // 'every' returns true if the check returns true for every element, or
>        //   false as soon as a check returns false. So it will return true if none
>        //   of the regexps match the SP, or false as soon as one does.
>        if (!mfa_sp_regexes.every(function(element)
>                { re = new RegExp(element); return !re.test(rpid); })) {
>                        logger.info('SP ' + rpid + ' requires MFA, failing');
>                        mfaCtx.setEvent('MFAlacking');
>        }
> }
>
> nextFlow;
>
>
>
> Thanks...
>
> --
> Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
> Operating Systems and Network Analyst  |  [hidden email]
> California State Polytechnic University  |  Pomona CA 91768
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to [hidden email]
>
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: No attributes after enabling MFA flow

Paul B. Henson-2
On Wed, May 16, 2018 at 09:33:15PM -0700, Andrew Morgan wrote:

>    input.removeSubcontext(resCtx);   // cleanup
>
> near the end of your MFA script.  Something about it stepping on later
> attribute resolution...

No, I didn't have that. Looks like that did the trick in my dev
environment, I'll give it another go in prod. Weird that it borks up
attributes for SAML but not CAS.

I actually based my attribute lookup on the example you provided me on
the list a while back; I see now that I go look back on it your example
did include that line, but with my black magic level of understanding of
this stuff I neglected to copy that along with the rest 8-/.

Thanks much for pointing that out, much appreciated...


--
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  [hidden email]
California State Polytechnic University  |  Pomona CA 91768
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: No attributes after enabling MFA flow

Cantor, Scott E.
> No, I didn't have that. Looks like that did the trick in my dev environment, I'll
> give it another go in prod. Weird that it borks up attributes for SAML but not
> CAS.

Back channel vs. front channel.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]