search

pressbooks / pressbooks-saml-sso

SAML2 Single Sign-On integration for Pressbooks (Shibboleth, ADFS, Google Apps, Etc.)
GNU General Public License v3.0
3 stars 1 forks source link

Allow logins from IdP providers with MFA enabled #140

Closed SteelWagstaff closed 1 year ago

SteelWagstaff commented 2 years ago

A client reports:

I am trying to set up our network to use SSO. It looks like the settings are correct on our side (Azure SSO) and on your side in the pressbooks app. But on our side, we use a multifactor authentication setup via a system called Duo. In my troubleshooting inside the Microsoft Azure portal, the system gave me this information. The portal asks us to copy/paste any errors we receive during troubleshooting so I did and here are the suggestions/resolutions suggested:

image001 (2)

I believe that both of these are largely handled by the php-saml library we rely on. See https://github.com/onelogin/php-saml/blob/20a2cb3e2c2722f4a06d2b16006d5e140adb48db/lib/Saml2/AuthnRequest.php#L90-L132

What we should try first is to set the Authentication context to false. See https://github.com/onelogin/php-saml/blob/master/README.md

// Authentication context.
        // Set to false and no AuthContext will be sent in the AuthNRequest.
        // Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'.
        // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509').
        'requestedAuthnContext' => false,
SteelWagstaff commented 2 years ago

See https://uit.stanford.edu/service/saml/mfa for a good description of how SPs can ensure SAML works with Duo/MFA enabled.

SteelWagstaff commented 1 year ago

The client is provisioning me with a test account. Should be able to test today or tomorrow once account is issued.