Help with REFEDS Assurance Framework and SimpleSAMLphp IdP + PrivacyIDEA

Dear All guys and girls,

I’m trying to find out the way to address the Multi Factor Authentication for the REFEDS Assurance Framework (that aims to regulate the 2FA release from many institutions in the next months/years).

I’ve test successfully the SimpleSAMLphp PrivacyIDEA plugin to perform a login on a federated resource with OTP Token as AuthProcFilter, but the challenge is to do it by following the REFEDS Assurance Framework on a SimpleSAMLphp IdP towards a SP that requests MFA to allow access to the users.

I need to set the saml “AuthnContextClassRef” in the SAML IdP response as follow:

<saml:AuthnContext>
   <saml:AuthnContextClassRef>https://refeds.org/profile/mfa</saml:AuthnContextClassRef>
</saml:AuthnContext>

I don’t know if this can be done directly by the PrivacyIDEA after the validation of the 2FA or how I can add it after the 2FA, but I need help.

I need help to activate PrivacyIDEA MFA only if a Service Provider send a request with the same AuthnContextClassRef of the IdP. If the AuthnContextClassRef is not sent into the SAML Request by the SP, PrivacyIDEA MFA does not have to be activate and the normal user/password login has to be followed.

At the end, the IdP has to come back to the SP with a SAML response that contains the same AuthnContextClassRef.

The documentation I mentioned is provided here: mfa – REFEDS

If anybody has already addressed it with SimpleSAMLphp and can help me to find a solution,
will make me very happy and I’ll thanks him/her a lot!

I’ll be happy also if someone can help me to take the good way to discover the solution. I want to spread it to all when I found it.

I’m working with the version 1.19.7 of SimpleSAMLphp (the last stable one) and PrivacyIDEA 3.8.

Sorry for my poor english…

Best regards to all of you!

Marco

I’ve found the solution by using this external module:

:slight_smile:

This is the Authentication Process Filter for IdP that I have set into simpleSAMLphp config.php file, I hope it will be useful to others:

'authproc.idp' => [

    // Configuration for the privacyIDEA server.
    5 => [
        'class' => 'cirrusgeneral:PhpConditionalAuthProcInserter',
        'condition' => 'return in_array("https://refeds.org/profile/mfa",$state["saml:RequestedAuthnContext"]["AuthnContextClassRef"]);',

        'authproc' => [
            // SP requests REFEDS MFA
            [
                'class' => 'privacyidea:PrivacyideaAuthProc',

                'privacyideaServerURL' => 'http://privacyidea.server.example.com',
                'realm' => '',
                'uidKey' => 'mail',
                'sslVerifyHost' => 'true',
                'sslVerifyPeer' => 'true',
                'serviceAccount' => 'PI_ADMIN_USER',
                'servicePass' => 'PI_ADMIN_PASSWORD',
                'doEnrollToken' => 'true',
                'tokenType' => 'totp',
                'doTriggerChallenge' => 'false',
                'SSO' => 'true',
                'preferredTokenType' => '',
                'otpFieldHint' => 'OTP',
                'passFieldHint' => 'OTP Password',
                'enabledPath' => 'privacyIDEA',
                'enabledKey' => 'enabled',
                'tryFirstAuthentication' => 'false',
                'tryFirstAuthPass' => 'simpleSAMLphp',
                'excludeClientIPs' => [],
                'checkEntityID' => 'true',
                'setPath' => 'privacyIDEA',
                'setKey' => 'enabled',
            ],

            [
                'class' => 'saml:AuthnContextClassRef',
                'AuthnContextClassRef' => 'https://refeds.org/profile/mfa',
            ]
        ],
        // SP not requests refeds MFA
        'elseAuthproc' => [
            [
                'class' => 'saml:AuthnContextClassRef',
                'AuthnContextClassRef' => 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
            ],
        ],
    ],

Have a nice day!
Marco

2 Likes