Versions Compared

Old Version 8

changes.mady.by.user Hong Ye

Saved on

compared with

New Version Current

changes.mady.by.user Hong Ye

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


Code Block
titleApache 2.2
AuthType shibboleth
ShibRequestSetting authnContextClassRef https://refeds.org/profile/mfa
ShibRequestSetting requireSession 1
ShibRequireAll on
ShibCompatWith24 on
Require shib-session
Require authnContextClassRef "https://refeds.org/profile/mfa"


Info

If this site only require Two-Factor for certain location, this configuration will not work reliably. If the user doesn't have valid session and requests content in the Two Factor required directory first, two-factor will be enforced. If the user requests content from your site that NOT requires Two Factor and then requests content in the Two Factor directory, user may get authorization denied error if user hasn't completed two factor.

To resolve this issue, we can redirect authorization denied error to a script and use that script to redirect user to IDP for second factor authentication.

<Location /myTwoFactor>

   AuthType shibboleth
   ShibRequestSetting authnContextClassRef https://refeds.org/profile/mfa
   ShibRequestSetting requireSession 1
   <RequireAll>
      Require authnContextClassRef "https://refeds.org/profile/mfa"
      Require shib-session
   </RequireAll>

      ErrorDocument 401 /cgi-bin/mfaChk.cgi ( this is just an example, you can replace it with your own script)

</Location>

Code Block
titlemfaChk.cgi
#! /usr/bin/perl
use strict;
use CGI qw(:standard);

#get user's authentication context. If user already have MFA profile in the context, 
#it means user is redirected to this script because user doesn't meet other authorize rules. So we should just redirect user to an error document.  
#if mod_proxy_ajp is being used in your environment, you might need to replace $ENV{Shib_AuthnContext_Class} with $ENV{AJP_Shib_AuthnContext_Class}
my($authnContext) =  $ENV{Shib_AuthnContext_Class};
if ( index($authnContext, "https://refeds.org/profile/mfa") > -1 ) {
    print redirect(-url=>'/error.html');
}else{
#user hasn't completed 2FA, send user back to IDP for second-factor authentication
    my($returnTarget) = $ENV{REDIRECT_SCRIPT_URI};
    print redirect(-url=>"/Shibboleth.sso/Login?authnContextClassRef=https%3A%2F%2Frefeds.org%2Fprofile%2Fmfa&target=$returnTarget");
}

 

 

 

 

 

...