11:19 p.m.
I will have some SPs behind the proxy that need to use the refeds MFA profile via InCommon
along with other SPs behind the same proxy that only require simple one-step password
authentication. I’ve looked through the list archives and don’t see a solution to the
problem I’m having.
I can verify by watching the browser saml flow that the SP is correctly requesting refeds
mfa in RequestedAuthnContext. However, this request does not appear to be passed on to
the selected IdP and the MFA authentication attribute is not set upon return.
There appears to be configuration available (acr_mapping) to specify what
AuthnContextClassRef value satosa returns to the SP based on the selected IdP but that is
not what we need for this application.
My question: is satosa supposed to pass the SP’s requested AuthnContext to the end user’s
IdP and pass back the IdP’s response?
I’ll dig some more but am hoping that someone already knows how/if this should work in
satosa.
Thanks much, Jim
8:23 p.m.
Hello James,
On Wed, 14 Aug 2019 at 00:19, Jokl, James A (jaj) <jaj at virginia.edu> wrote:
My question: is satosa supposed to pass the SP’s requested AuthnContext to the end user’s
IdP and pass back the IdP’s response?
No, SATOSA does not do that at the moment. I think it is easy to
support, though.
A new configuration option would be introduced. When set, the saml2
frontend would store the AuthnContext, and the saml2 backend would
preserve it when recreating the AuthnRequest.
Alternatively, the AuthnContext could always be preserved and a
micro-service could be used to clear it or let it pass. This would be
more flexible if one would want to have functionality that is related
to a specific set of IdPs or SPs (the micro-service would have to
support this, but it is common to do that in a micro-service.)
I’ll dig some more but am hoping that someone already knows how/if this should work in
satosa.
Thanks much, Jim
Cheers,
--
Ivan c00kiemon5ter Kanakarakis >:3
10:15 p.m.
Thank you -- having never looked at the source code, this is most likely not going to be
easy for me to do. I'll try to make some time later this week to see if it’s
practical for me to dig in and look.
Jim
-----Original Message-----
From: Ivan Kanakarakis <ivan.kanak at gmail.com>
Date: Wednesday, August 21, 2019 at 2:24 PM
To: "James Jokl (virginia.edu)" <jaj at virginia.edu>
Cc: "satosa-users at lists.sunet.se" <satosa-users at lists.sunet.se>
Subject: Re: [satosa-users] MFA and SATOSA
Hello James,
On Wed, 14 Aug 2019 at 00:19, Jokl, James A (jaj) <jaj at virginia.edu> wrote:
My question: is satosa supposed to pass the SP’s requested AuthnContext to the end user’s
IdP and pass back the IdP’s response?
No, SATOSA does not do that at the moment. I think it is easy to
support, though.
A new configuration option would be introduced. When set, the saml2
frontend would store the AuthnContext, and the saml2 backend would
preserve it when recreating the AuthnRequest.
Alternatively, the AuthnContext could always be preserved and a
micro-service could be used to clear it or let it pass. This would be
more flexible if one would want to have functionality that is related
to a specific set of IdPs or SPs (the micro-service would have to
support this, but it is common to do that in a micro-service.)
I’ll dig some more but am hoping that someone already knows how/if this should work in
satosa.
Thanks much, Jim
Cheers,
--
Ivan c00kiemon5ter Kanakarakis >:3
8:11 p.m.
I see that people will be looking at SATOSA next week at the T&I Hackathon in
Copenhagen. I won't be there but wonder if it's an opportunity for someone who
knows the code well to consider the AuthnContext discussion below?
-----Original Message-----
From: "James Jokl (virginia.edu)" <jaj at virginia.edu>
Date: Monday, August 26, 2019 at 4:15 PM
To: Ivan Kanakarakis <ivan.kanak at gmail.com>
Cc: "satosa-users at lists.sunet.se" <satosa-users at lists.sunet.se>
Subject: Re: [satosa-users] MFA and SATOSA
Thank you -- having never looked at the source code, this is most likely not going to
be easy for me to do. I'll try to make some time later this week to see if it’s
practical for me to dig in and look.
Jim
-----Original Message-----
From: Ivan Kanakarakis <ivan.kanak at gmail.com>
Date: Wednesday, August 21, 2019 at 2:24 PM
To: "James Jokl (virginia.edu)" <jaj at virginia.edu>
Cc: "satosa-users at lists.sunet.se" <satosa-users at lists.sunet.se>
Subject: Re: [satosa-users] MFA and SATOSA
Hello James,
On Wed, 14 Aug 2019 at 00:19, Jokl, James A (jaj) <jaj at virginia.edu>
wrote:
My question: is satosa supposed to pass the SP’s requested AuthnContext to the end user’s
IdP and pass back the IdP’s response?
No, SATOSA does not do that at the moment. I think it is easy to
support, though.
A new configuration option would be introduced. When set, the saml2
frontend would store the AuthnContext, and the saml2 backend would
preserve it when recreating the AuthnRequest.
Alternatively, the AuthnContext could always be preserved and a
micro-service could be used to clear it or let it pass. This would be
more flexible if one would want to have functionality that is related
to a specific set of IdPs or SPs (the micro-service would have to
support this, but it is common to do that in a micro-service.)
I’ll dig some more but am hoping that someone already knows how/if this should work in
satosa.
Thanks much, Jim
Cheers,
--
Ivan c00kiemon5ter Kanakarakis >:3
1880
days inactive
1914
days old
3 comments
2 participants
participants (2)
-
ivan.kanak@gmail.com -
jaj@virginia.edu