Configure a Service Provider for Two-Factor Authentication

1. The first example requests two-factor login by modifying the default <SSO> element. This configuration will force all Shibboleth logins from this SP to use two-factor. If Shibboleth has been configured for multiple web sites (virtual hosts), two-factor will apply to all web sites.

   <SSO entityID="urn:mace:incommon:washington.edu"      authnContextClassRef="https://refeds.org/profile/mfa">      SAML2 </SSO>

   • Specifying that Shibboleth logins should use two-factor is a separate thing from requiring Shibboleth sessions for particular content. Both are required to get the desired effect. The <SSO> element doesn’t allow you to specify content settings, so you need to do that elsewhere. With an Apache web server you would typically do that through Location directives or through an .htaccess file. On an IIS server you would typically do that in a <Host> element, for example:

     <Host name="site1.washington.edu" authType="shibboleth" requireSession="true" />

2. The second example requests two-factor login by modifying a <Host> element. This configuration will force all Shibboleth logins from the specified web site (virtual host) to use two-factor. If Shibboleth has been configured for multiple web sites (virtual hosts), two-factor will only apply only to the specified web site. Note that the requirement for a Shibboleth session and the requirement for two-factor can be specified in the <Host> statement. In this example, all requests for content from site2 will require a Shibboleth session with two-factor.

   <Host name="site1.washington.edu" /> <Host name="site2.washington.edu"     authnContextClassRef="https://refeds.org/profile/mfa"     authType="shibboleth" requireSession="true" />

3. The third example requests two-factor login by modifying a <Path> element. This configuration will force Shibboleth logins for content in the specified path to use two-factor. Note that the requirement for a Shibboleth session and the requirement for two-factor can be specified in the <Path> statement. In this example, requests for content in the https://site1.washington.edu/twofactor/ directory will require a Shibboleth session with two-factor.

   <Host name="site1.washington.edu">     <Path name="twofactor" authType="shibboleth" requireSession="true"           authnContextClassRef="https://refeds.org/profile/mfa">    </Path> </Host>

   • If this site also has content that only requires a Shibboleth session with password authentication, this configuration will not work reliably. If the user requests content in the /twofactor directory first, two-factor will be enforced. If the user requests content that only requires password authentication and then requests content in the /twofactor directory, two-factor will not be enforced. The existing Shibboleth session based on password authentication will not be upgraded to two-factor. If you need to mix password-based logins and two-factor logins for different content, follow Configure a Service Provider for Step-up Two-Factor Authentication instead.
4. The fourth example requests two-factor login at the UW IdP for the session with id=”uwtoken” by modifying the appropriate <SessionInitiator> element:

   <!-- Token auth at UW --> <SessionInitiator type="Chaining" Location="/SecureLogin" isDefault="false" id="uwtoken"      relayState="cookie" entityID="urn:mace:incommon:washington.edu"      authnContextClassRef="https://refeds.org/profile/mfa" >   <SessionInitiator type="SAML2" template="bindingTemplate.html"/> </SessionInitiator>

Apache 2.4

To configure Apache 2.4 to require the authentication was completed with 2FA a combination of Shibboleth specific and standard Apache access control directive can be used. The below example will restrict access to any users who have used 2FA to sign in with their UW NetID.

These Apache directives should be located either within the Apache configuration itself or in .htaccess files within in specific directories. The choice between the two depends on how Apache is configured.

Unfortunately Apache 2.2 does not support the <RequireAll> block and interprets multiple Require directives with an implicit ‘OR’. Shibboleth SP instead provides an equivalent functionality to RequireAll. Note: The ShibRequireAll directive is NOT compatible with Apache 2.4.

IIS does not support this checking within the web server’s configuration. Instead, access control will need to be configured within the <RequestMapper> in shibboleth2.xml.

The placement of the <AccessControl> elements and their children will depend on which configuration above is utilized. The below example references example 3. It can also be placed within the <Host> element if example 2 is used.

See the documentation from the Shibboleth Project for more information: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAccessControl and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMap

Additionally, after authentication your application’s session environment will include specific attributes indicating the authentication method actually used by the IdP. These can be used as an additional verification mechanism, instead or in addition to using the web server methods above.

On IIS:

• HTTP_SHIBAUTHENTICATIONMETHOD: https://refeds.org/profile/mfa
• HTTP_SHIBAUTHNCONTEXTCLASS: https://refeds.org/profile/mfa