Skip to Content.
Sympa Menu

edugain-discuss - [eduGAIN-discuss] consolidated info on MFA with ADFS Svr2016 + ShibSP3.1.0 from eduGAIN Slack

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

[eduGAIN-discuss] consolidated info on MFA with ADFS Svr2016 + ShibSP3.1.0 from eduGAIN Slack


Chronological Thread 
    < Chronological >      < Thread >
  • From: Chris Phillips <Chris.Phillips AT canarie.ca>
  • To: "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: [eduGAIN-discuss] consolidated info on MFA with ADFS Svr2016 + ShibSP3.1.0 from eduGAIN Slack
  • Date: Wed, 24 Jun 2020 20:14:32 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=canarie.ca; dmarc=pass action=none header.from=canarie.ca; dkim=pass header.d=canarie.ca; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sonD5+5OiNz7BAoS3rh2exPjD40v2u+y2fuT6JNJb4k=; b=WRgOtzISqpMuHQ4Kss6HSge8ivZ7+sZGmRJe2LVyVw4lG8lCyBGJuT5yDqvCru8Me5UpIh4HOYjBbshebqpS3Wns31/0yjbDVmPMyom9xKat3LgWHf4CN26kVU+XvuwAOIxsVXsSs3N83MLDqtYjx+BIXxdgpFOyq6xsddOWZBG9U7XGJOFJf6/0UgrLqPiahnsdVr87T4MJnwvPL+Qw4zYEUXfPx0xkb+Q/c/0FqYzs4QduLuRH9bw7sOlAWHQZD7GwWx+Hy0GDT0OYbZCe2uUd2dtwQeDG6vrPTd+h+Hbj4KjXzxEMWiFKKiUu18u+Ud6OM4+cuj3UAnHW9PoyfA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VmKiUyQXIQz3Z5Ul4a5AB/LpUSGR0zsGwTxHpp+cn9fz9EvtgxkhDMIjbyG8CyGPAl88ZhZaF4s2qYbdVXqBkbaJ0DdPYXaBbsqepEiaXbguahCbhhiqu+FgDApngLHpEJGvP3HvkyHeOq+TAXNSBT3vJsoYNFr6D5QhyqOXfuHECeIhDAD884ekviasrH2eE+a0fK2E2FLYwB/9l07H74L1nR9yI2QHHa9dEeHX6ZO4+WVPTrjecCGAjjXMM80vZ1GCBdpaCzj5+tfb40lcfINOuDsf8Sxl5rjkMA/L4AEohQGcFCOXfLldiSh2wRSD0izN9bv0zCqgDqw6kLOTcg==
  • Authentication-results: lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=none action=none header.from=canarie.ca;

This is a follow on email from the eduGAIN slack #general channel chat about MFA+ADFS.

 

There’s a lot to unpack on MFA with any combination of IdP not just ADFS. That said, our quick testing Scott K and I did confirmed(at least for us) that the expected behaviour for a Shib v3.1.0 SP asking for REFEDS MFA AuthContext from ADFS works -- ADFS doesn’t handle REFEDS MFA and offers an appropriate error response that the SP exhibits.

 

The mini testbed was Server 2016 v1607.14393.3750+ ADFSToolkit-v1. ADFS had no local multiple AuthN settings and Shib v3.1.0 SP had the REFEDS MFA context settings.  The screenshot doesn’t look too fancy but it *is* the expected error page rendered by the SP. It also means the SP can do some clever things too.

SAML tracer had the expected responses in the SAML exchanges and left those out.

 

 

We expect server 2019 to behave similarly.

 

 

Also pointed out from from Thijs Kinkhorst on the topic on ADFS:

From our experience you need to send http://schemas.microsoft.com/claims/multipleauthn  as the requestedauthncontext to trigger MFA in ADFS

You can then add an attribute in the response called http://schemas.microsoft.com/claims/authnmethodsreferences  that will tell you if it actually succeeded.

 

 

Scott K and I didn’t test this scenario/pathway as our ad-hoc testbed wasn’t configured for this and doesn’t look ‘SAML2 standard’ being claims oriented.

 

From Scott C:

Uses of Apache's ErrorDocument command make it pretty clean to create MFA-only trees of content and have it dynamically step-up as needed by requesting/requiring something. So I wouldn't say it's a ton of work if the rules are that clean, but usually it's an "app" and not based on URL, and that's just never going to be anything but a slog

 

Scott K and I did not test this behaviour either but also landed at this conclusion as well.

It looks promising if one wants to be more elegant to step users up and encourage more thought here on some good recipes if anyone has them to share.

 

There’s more to the story on MFA and how to gracefully and compliantly handle use cases and hope this helps others on the journey. There certainly are a lot of moving parts in a good user experience.

 

If there’s a better place than edugain-discuss for this, let us know and feel free to bring this conversation there.

 

C.

Attachment: smime.p7s
Description: S/MIME cryptographic signature


  • [eduGAIN-discuss] consolidated info on MFA with ADFS Svr2016 + ShibSP3.1.0 from eduGAIN Slack, Chris Phillips, 06/24/2020

Archive powered by MHonArc 2.6.19.

Top of Page