[eduVPN-deploy] Two-factor authentication per profile with shibboleth

Fri Sep 25 16:23:59 CEST 2020

Hi Wenche,

https://github.com/fkooman/php-saml-sp/blob/main/METADATA.md#dynamic

This probably explains why. You are trying to use dynamic metadata with 
php-saml-sp, so you have to load the metadata first.

$ sudo systemctl start php-saml-sp

Cheers,
François

On 9/25/20 4:21 PM, Wenche Backman-Kamila wrote:
> Hi,
> 
> ;-) No, probably not a very fair comparison...
> 
> 
> I'll give it a try and see how far I'll get.
> 
> In the config file, with:
> 
> 
>      'idpList' => [
>          'https://testidp.funet.fi/idp/shibboleth',
>      ],
> 
>     
>      'metadataList' => [
>      //    'https://metadata.wayf.dk/wayf-metadata.xml' => ['wayf.dk.crt'],
>      //    'https://metadata.surfconext.nl/idp-metadata.xml' => ['SURFconext-metadata-signer.pem'],
>            'https://haka.funet.fi/metadata/haka_test_metadata_signed.xml' => ['/etc/pki/tls/certs/haka_testi_2018_sha2.crt'],
>      ],
> 
> 
> I get (using the test button):
> 
> 500 - Internal Server Error
> 
> Error Message
>      no metadata for IdP "https://testidp.funet.fi/idp/shibboleth" available
> 
> 
> Any idea why?
> 
> Thanks in advance.
> 
> Regards,
> 
> Wenche
> 
> ----- Original Message -----
> From: "fkooman" <fkooman at tuxed.net>
> To: "Wenche Backman-Kamila" <wenche.backman-kamila at csc.fi>, "eduvpn-deploy" <eduvpn-deploy at list.surfnet.nl>
> Sent: Tuesday, 22 September, 2020 16:10:03
> Subject: Re: [eduVPN-deploy] Two-factor authentication per profile with shibboleth
> 
> On 9/22/20 2:21 PM, Wenche Backman-Kamila via eduVPN-deploy wrote:
>> Hi,
> 
> Hi Wenche!
> 
>> However, I do not see how I could enable two-factor authentication for
>> only one of the profiles - is this possible or not? (The authentication
>> takes place before the profiles are even displayed) Is the only possible
>> solution to have two servers - one for general access and one for
>> two-factor privileged access?
> 
> You cannot do that *per profile*, but you can do it in a different way,
> depending on how exactly your IdP implements 2FA.
> 
>> At present, I'm merely testing what is possible and what is not, but
>> separate profiles (one with username/password authentication and one
>> with two-factor authentication) is what our current AnyConnect solution
>> is configured for...
> 
> Assuming you are using a SAML attribute to determine who gets access to
> which profile, you can use the same attribute (value) to trigger 2FA
> once we know that user has that particular attribute value.
> 
> This is supported by php-saml-sp [1], search for
> "permissionAuthnContext", which is currently not officially supported
> yet, but an audit will be completed in October after which we'll release
> 1.0.0 of php-saml-sp and officially support it.
> 
> See the documentation on how you could do this. The flow would look like
> this:
> 
> 1. User goes to vpn.example.org;
> 2. User is redirected to IdP;
> 2. User authenticates using username/password;
> 3. User returns to vpn.example.org;
> 4. It is determined that user has e.g. attribute value
> "http://eduvpn.org/role/admin" as per example that requires 2FA;
> 5. User is redirected again to IdP, this time with required AuthnContext
> as part of the AuthnRequest;
> 6. User is asked just for 2nd factor (hopefully SSO works and not again
> asked for username+password!)
> 7. User returns to vpn.example.org authenticated + 2FA
> 
> This works in production in NL so far. It is not ideal, but I have no
> idea how to implement this better... If you have any ideas, please let
> me know :)
> 
> I'm assuming AnyConnect doesn't integrate with SAML, so that's not fair ;-)
> 
> Regards,
> François
> 
> [1] https://github.com/eduvpn/documentation/blob/v2/PHP_SAML_SP.md
> 