Omit flow by value defined in attribute-resolver.xml

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Omit flow by value defined in attribute-resolver.xml

Noriyuki TAKEI
Hi,all.

I’m using MFA that consists of two flows(auth/Password and authn/Totp).

authn/Totp is new flow I have uniquely developed.

I would like to omit authn/Totp flow by value defined in attribute-resolver.xml

For example,when totpFlg defined in attribute-resolver.xml is 1,omitting authn/Totp Flow.

In order to achieve this,I defined as below in mfa-authn-config.xml.


<util:map id="shibboleth.authn.MFA.TransitionMap">
    <entry key="">
        <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkPasswordFlow" />
    </entry>

    <entry key="authn/Password">
        <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkTotpFlow" />
    </entry>

    <!-- An implicit final rule will return whatever the second flow returns. -->
</util:map>

<bean id="checkPasswordFlow" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
    p:customObject-ref="shibboleth.AttributeResolverService">
   ...omit...
</bean>

<bean id="checkTotpFlow" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
    p:customObject-ref="shibboleth.AttributeResolverService">
    <constructor-arg>
        <value>
        <![CDATA[
            nextFlow = "authn/Totp";
            
            resCtx = input.getSubcontext(
                "net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);

            usernameLookupStrategyClass = Java.type("net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy");
            usernameLookupStrategy = new usernameLookupStrategyClass();
            resCtx.setPrincipal(usernameLookupStrategy.apply(input));

            resCtx.getRequestedIdPAttributeNames().add("totpFlg");
            resCtx.resolveAttributes(custom);
            attribute = resCtx.getResolvedIdPAttributes().get("totpFlg");
            valueType =  Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
            if (attribute != null && attribute.getValues().contains(new valueType("1"))) {
                authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
                authResult = Java.type("net.shibboleth.idp.authn.AuthenticationResult");
                subject = input.getSubcontext("net.shibboleth.idp.authn.context.SubjectCanonicalizationContext").getSubject();
                authCtx.setAuthenticationResult( new authResult("authn/Totp",subject));
                nextFlow = null;
            }
            nextFlow;
        ]]>
        </value>
    </constructor-arg>
</bean>

But,error as below occurred in idp-warn.log and I can not access the SP.

2018-05-15 23:22:27,140 - WARN [net.shibboleth.idp.authn.impl.FinalizeAuthentication:179] - Profile Action FinalizeAuthentication: Authentication result for flow authn/MFA did not satisfy the request

I guess that AuthenticationResult is not set correcctly.

Does someone may give a hint?


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Omit flow by value defined in attribute-resolver.xml

O'Dowd, Josh

 

Firstly, MFA is intended to be scripted only when the default transitions that you specify don’t apply…  in other words, you don’t have to make a scripted strategy for authn/Password if that will always be your first factor of authentication; which looks to be the case considering your downstream strategy needs a username.

 

Secondly, a strategy that decides what the next flow should be should never touch the AuthnticationResult.  By replacing the authnResult, you are zapping the c14n that the password flow has already done.  That is likely the surface cause of your error.  The root cause is likely that your authn/MFA config (in conf/authn/general-authn.xml) doesn’t support the principal(s) that end up in your new authnResult

 

-Josh

 

From: users [mailto:[hidden email]] On Behalf Of Noriyuki TAKEI
Sent: Tuesday, May 15, 2018 9:26 AM
To: Shib Users <[hidden email]>
Subject: Omit flow by value defined in attribute-resolver.xml

 

Hi,all.

 

I’m using MFA that consists of two flows(auth/Password and authn/Totp).

 

authn/Totp is new flow I have uniquely developed.

 

I would like to omit authn/Totp flow by value defined in attribute-resolver.xml

 

For example,when totpFlg defined in attribute-resolver.xml is 1,omitting authn/Totp Flow.

 

In order to achieve this,I defined as below in mfa-authn-config.xml.

 

 

<util:map id="shibboleth.authn.MFA.TransitionMap">

    <entry key="">

        <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkPasswordFlow" />

    </entry>

 

    <entry key="authn/Password">

        <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkTotpFlow" />

    </entry>

 

    <!-- An implicit final rule will return whatever the second flow returns. -->

</util:map>

 

<bean id="checkPasswordFlow" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"

    p:customObject-ref="shibboleth.AttributeResolverService">

   ...omit...

</bean>

 

<bean id="checkTotpFlow" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"

    p:customObject-ref="shibboleth.AttributeResolverService">

    <constructor-arg>

        <value>

        <![CDATA[

            nextFlow = "authn/Totp";

            

            resCtx = input.getSubcontext(

                "net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);

 

            usernameLookupStrategyClass = Java.type("net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy");

            usernameLookupStrategy = new usernameLookupStrategyClass();

            resCtx.setPrincipal(usernameLookupStrategy.apply(input));

 

            resCtx.getRequestedIdPAttributeNames().add("totpFlg");

            resCtx.resolveAttributes(custom);

            attribute = resCtx.getResolvedIdPAttributes().get("totpFlg");

            valueType =  Java.type("net.shibboleth.idp.attribute.StringAttributeValue");

            if (attribute != null && attribute.getValues().contains(new valueType("1"))) {

                authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");

                authResult = Java.type("net.shibboleth.idp.authn.AuthenticationResult");

                subject = input.getSubcontext("net.shibboleth.idp.authn.context.SubjectCanonicalizationContext").getSubject();

                authCtx.setAuthenticationResult( new authResult("authn/Totp",subject));

                nextFlow = null;

            }

            nextFlow;

        ]]>

        </value>

    </constructor-arg>

</bean>

 

But,error as below occurred in idp-warn.log and I can not access the SP.


2018-05-15 23:22:27,140 - WARN [net.shibboleth.idp.authn.impl.FinalizeAuthentication:179] - Profile Action FinalizeAuthentication: Authentication result for flow authn/MFA did not satisfy the request

 

I guess that AuthenticationResult is not set correcctly.


Does someone may give a hint?

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]