Getting the Destination URL for a scripted attribute?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Getting the Destination URL for a scripted attribute?

Bryan K. Walton-4
We have a scripted attribute, that does a few things to determine
whether a user needs second factor authentication.  It is based upon the
code example supplied by Andrew Morgan, here:

http://shibboleth.net/pipermail/users/2018-January/038921.html

Here is his code:

-------------------

     <AttributeDefinition id="needs_duo" xsi:type="ScriptedAttribute">
         <Dependency ref="ONIDLDAP" />
         <Script><![CDATA[
             logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute.resolver.needs_duo");
             duoflag = "0";
             for (i=0; i < ismemberof.getValues().size(); i++) {
                 tmp = ismemberof.getValues().get(i);
                 if (tmp.toLowerCase().equals("cn=duo-opt-in,ou=duo,ou=app,ou=is,ou=org,ou=osu,ou=grouper,ou=groups,o=orst.edu")) {
                     logger.debug("User is opted-in to Duo");
                     duoflag = "1";
                 }
             }
             rpid = profileContext.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext").getRelyingPartyId();
             logger.debug("rpid=" + rpid);
            if (rpid.equals("http://people.oregonstate.edu/~morgan/CAS-1.3.4/test.php")) {
                duoflag = "1";
            }
            if (rpid.equals("http://people.oregonstate.edu/~morgan/simplesaml/module.php/saml/sp/metadata.php/default-sp")) {
                duoflag = "1";
            }
             needs_duo.addValue(duoflag);
             logger.debug("needs_duo final value: " + needs_duo.getValues().get(0));
         ]]></Script>
     </AttributeDefinition>

-------------

This code works well for us, setting the duoflag for certain users and/or
entityIDs.

We also have a case where we have one web site that we want to exempt from
second factor auth, even though it is on an SP where the other web sites
do require MFA.

Therefore, I'd like to find a way to add into Andy's script a way to set
duoflag = "0" depending on the authenticated users's destination URL.

Can somebody suggest how this code should be modified for that?  I tried
relayState, but it seems that the SP isn't passing that to the IdP.  I
also tried HttpServletRequest with the host header.  But that seemed to
supply the IdP host, rather than the user's original URL.

Thanks!
Bryan
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Getting the Destination URL for a scripted attribute?

Cantor, Scott E.
On 11/15/19, 4:48 PM, "users on behalf of Bryan K. Walton" <[hidden email] on behalf of [hidden email]> wrote:

> Therefore, I'd like to find a way to add into Andy's script a way to set
> duoflag = "0" depending on the authenticated users's destination URL.

You don't get the URL unless you control the SP enough to force it to violate the standard with respect to RelayState, which is not meant to carry it.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Getting the Destination URL for a scripted attribute?

Bryan K. Walton-4
On Fri, Nov 15, 2019 at 09:51:05PM +0000, Cantor, Scott wrote:
> > Therefore, I'd like to find a way to add into Andy's script a way to set
> > duoflag = "0" depending on the authenticated users's destination URL.
>
> You don't get the URL unless you control the SP enough to force it to violate the standard with respect to RelayState, which is not meant to carry it.
>

Thanks for the reply, Scott.  This is interesting.  So, what I hear you
saying that is that even though I can see the destination URL in the
idp-process.log, there isn't a way to work with it? (other than the
relayState standard violation).

Thanks!
Bryan
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Getting the Destination URL for a scripted attribute?

Cantor, Scott E.
On 11/15/19, 5:00 PM, "users on behalf of Bryan K. Walton" <[hidden email] on behalf of [hidden email]> wrote:

> Thanks for the reply, Scott.  This is interesting.  So, what I hear you
> saying that is that even though I can see the destination URL in the
> idp-process.log, there isn't a way to work with it? (other than the
> relayState standard violation).

If it's in the log, then I guess it's in the RelayState. Don't confuse the resource with the AssertionConsumerService the message is sent back to.
 
-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Getting the Destination URL for a scripted attribute?

Bryan K. Walton-4
On Fri, Nov 15, 2019 at 10:08:33PM +0000, Cantor, Scott wrote:
>
> > Thanks for the reply, Scott.  This is interesting.  So, what I hear you
> > saying that is that even though I can see the destination URL in the
> > idp-process.log, there isn't a way to work with it? (other than the
> > relayState standard violation).
>
> If it's in the log, then I guess it's in the RelayState. Don't confuse the resource with the AssertionConsumerService the message is sent back to.
>  

Understood.

Thanks.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]