MFA and Proxy?

[Harald Hannelius]

Hello there,

is it possible in Proxy mode to relay requirements and info about succesfull
MFA through SimpleSamlPHP in Proxy mode? The proxied IdP is and ADFS and
would perform MFA. SSP is an IdP in a federation where SP's could ask for
MFA.

Thanks

--

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

[Tim van Dijen]

Hi Harald,

Proxy support is a little bit under-developed, but it should be possible with little bit of a hack.

I think you should omit setting the AuthnContextClassRef in saml20-idp-hosted.php and use a core:PHP authproc to manually set to to the value received by the external IDP (which you can pull from the state-variable).

If that doesn't work, you could try and store the received AuthnContextClassRef in a temporary attribute (also using core:PHP) and then on in saml20-sp-remote.php you can use another core:PHP authproc to pull the temporary attribute and put it into $state['saml:AuthnContextClassRef']

Can you give it a try and let us know if it worked?

- Tim

Op dinsdag 9 november 2021 om 11:06:16 UTC+1 schreef harald.h...@arcada.fi:

[pat...@cirrusidentity.com]

We have an authproc filter that is intended for this purpose and does what Tim described.. See https://github.com/cirrusidentity/simplesamlphp-module-cirrusgeneral#conditionalsetauthncontext

We run it in saml20-idp-hosted.php

I'm not sure what ADFS sends to the proxy to indicate MFA was performed, but for Azure AD and Okta the config looks like

Azure AD:

[
'class' => 'cirrusgeneral:ConditionalSetAuthnContext',
'path' => ['Attributes', 'http://schemas.microsoft.com/claims/authnmethodsreferences'],
'value' => 'http://schemas.microsoft.com/claims/multipleauthn',
'contextToAssert' => 'https://refeds.org/profile/mfa',
]

Okta:

[
'class' => 'cirrusgeneral:ConditionalSetAuthnContext',
'path' => ['Attributes', 'session.amr'],
'value' => 'mfa',
'contextToAssert' => 'https://refeds.org/profile/mfa',
]

[Harald Hannelius]

Thank You both for these tips! I will set up some kind of test environment
and see what happens. I will get back to You when I have had the time to
actually do something :)

On Tue, 9 Nov 2021, pat...@cirrusidentity.com wrote:

>
> We have an authproc filter that is intended for this purpose and does what Tim described..

> See https://github.com/cirrusidentity/simplesamlphp-module-cirrusgeneral#conditionalsetauthncontextWe run it in saml20-idp-hosted.php

> --
> This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look
> here:
>  
> https://simplesamlphp.org/support
>  
> Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party
> software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
>  
> Make sure to read the documentation:
>  
> https://simplesamlphp.org/docs/stable/
>  
> If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to
> ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum,
> common sense standards in your questions. Please read this carefully:
>  
> http://catb.org/~esr/faqs/smart-questions.html
> ---
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/simplesamlphp/0f8c9e67-f86e-428a-a71b-e9e2f33818b8n%40googlegroups.com.