SAML: Support for authnContextClassRef in proxy mode#833
SAML: Support for authnContextClassRef in proxy mode#833tauceti2 wants to merge 5 commits intosimplesamlphp:masterfrom
Conversation
|
We have some proxy use cases where this is undesirable so it would be nice if there was a way to opt in or opt out of the behavior change. Use case is that SPs request MFA from the proxy. The proxy performs it own MFA for users and we don't want to request MFA from upstream IdPs. |
f62fec0 to
d7776db
Compare
|
Hi @pradtke, added configuration option, which can enable that behaviour. By default it is off. |
c236386 to
65049f3
Compare
24759d4 to
b556ecf
Compare
If SSP works as a proxy, this code retain requested authnContextClassRef from SP behind proxy and pass it to the upper IdP. It also pass the authnContextClassRef sent by the upper IdP back to the SP behind the proxy.
b556ecf to
d32de21
Compare
1c686ab to
eb20457
Compare
08ebb9c to
64fca25
Compare
Codecov Report
@@ Coverage Diff @@
## master #833 +/- ##
============================================
+ Coverage 40.39% 41.56% +1.17%
+ Complexity 3454 3438 -16
============================================
Files 142 142
Lines 10401 10343 -58
============================================
+ Hits 4201 4299 +98
+ Misses 6200 6044 -156 |
There was a problem hiding this comment.
Original review comment
Hello, For those who use SimpleSAMLphp as a proxy to delegate auhentication to Azure AD and have to be NIH ready (Refeds MFA profile):File SP.php - add this before line 487 :
if ($state['saml:RequestedAuthnContext']['AuthnContextClassRef'][0]=="https://refeds.org/profile/mfa"){ $state['saml:RequestedAuthnContext']['AuthnContextClassRef'][0] = 'http://schemas.microsoft.com/claims/multipleauthn'; }
file SAML2.php - add this before line 1137:
if(isset($state['saml:RequestedAuthnContext']) && $state['saml:sp:AuthnContext']=="http://schemas.microsoft.com/claims/multipleauthn") { $state['saml:sp:AuthnContext']="https://refeds.org/profile/mfa"; }
in config.php and authsources.php
'proxymode.passAuthnContextClassRef' => true,
This is way too specific for R&E federations to add to this PR.
7a53fc8 to
d73ae47
Compare
|
Any idea when this will be merged? It's something we could really use in our setup. |
|
I think we need to have a fundamental discussion on how to deal with "proxy-mode"... There are literally a ton of elements in a SAML request/response that you may or may not want to relay through the proxy and I don't like the idea of adding configuration settings for all of them. |
|
This pull request is now referenced from the REFEDS MFA Profile implementation FAQ. For that reason, I wanted to note that since the patch was first written there are changes to SSP that means you need to make sure you include the later merge commits (and particularly 2c6cf5a) if you're trying to use this as a patch against recent SSP. |
e5c0e21 to
d5616df
Compare
Forward port of @tauceti2 patch in simplesamlphp#833 to apply cleanly against simplesamlphp-2.0.0-rc2
Forward port of @tauceti2 patch in simplesamlphp#833 to apply cleanly against simplesamlphp-2.0.0-rc2
|
I've forward ported this for simplesamlphp 2.0.0-rc2, and the patch is in 5544663 |
|
I can't seem to cherry-pick that commit.. It's not part of any branch.. What exactly did you do @ghalse ? |
It's part of the authnContextClassRef branch in ghalse/simplesamlphp, which was based off the simplesamlphp-2.0 branch simplesamlphp-2.0...ghalse:simplesamlphp:authnContextClassRef |
|
Ah, thanks! Cherry-pick it! |
|
\n This pull request has been automatically locked since there has \n not been any recent activity after it was closed.\n Please open a new issue for related bugs. |
If SSP works as a proxy, this code retain requested authnContextClassRef from
SP behind the proxy and pass it to the upper IdP. It also pass the
authnContextClassRef sent by the upper IdP back to the SP behind the proxy. By this change SPs behind the proxy can request different authn methods, especially useful for support multi-factor authn.
Please review the code, if it is acceptable also for mode when SSP doesn't work as a proxy.