My Profile
Sign Out
Tickets
Knowledge Base
Login
Articles in this section
Category / Section
  2. Public
  3. Product support

MFA on demand

Published:
2 mins read

Instructions are applicable to VM based deployments only.

This document shows how to implement a scenario where one specific SAML SP needs Multi-Factor Authentication, whereas other SAML SPs will just use simple Username/Password for authentication. Similar requirement as described here.

Here, we have configured the Gluu Server in such a way that it will ask for “DUO” as the second factor for one specific service provider. Other connected Service Providers will just authenticate normally without 2FA/Duo/MFA.

Background

For testing purposes, we are configuring a Shibboleth SP which will call the special ACR https://refeds.org/profile/mfa. When that special ACR is called by the SP, the Gluu Server will call “OTP” as the 2nd factor. Other than that special SP, all logins will be the usual Username/Password.

SP configuration.

  • Not required for this document.

IDP configuration

Configuration from oxTrust

  • Create new SAML ACR:
    • oxTrust > Configuration > Manage SAML ACRs
      • Add new Entry
        • Parent: shibboleth.SAML2AuthnContextClassRef
        • Class Ref: https://refeds.org/profile/mfa
  • Enable that ACR in OTP script parameter.
    • Person Authentication Script > OTP
    • Select SAML ACRs:
    • Save
  • Enable that ACR in this specific SP’s trust relationship. - Configure Relying Party - SAML2SSO profile:
    - conditional
    - never
    - conditional
    - never
    - never
    - Default AuthN Methods: https://refeds.org/profile/mfa
    • Save

Configuration files modification [ this might not be required from 4.5.1 ].

  • authn.properties:

    • location: /opt/shibboleth-idp/conf/authn
    • Section Duo:
       idp.authn.Duo.supportedPrincipals = \
    saml2/https://refeds.org/profile/mfa, \
    saml2/http://example.org/ac/classes/mfa, \
    saml1/http://example.org/ac/classes/mfa
    • Section MFA:
       idp.authn.MFA.supportedPrincipals = \
     saml2/https://refeds.org/profile/mfa, \
     saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
     saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
     saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
     saml1/urn:oasis:names:tc:SAML:1.0:am:password
    • Section oxAuth:
       idp.authn.oxAuth.supportedPrincipals = \
     saml2/https://refeds.org/profile/mfa, \
     saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
     saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
     saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

  • Restart the idp service only.

Was this article useful?
Like
Dislike
Help us improve this page
Please provide feedback or comments
Access denied
Access denied