chore: drop support for mfaEnforced

BREAKING CHANGE: mfaEnforced is no longed supported, use mfaEnforceSettings instead

chore: drop support for mfaEnforced
5e2b386f · Pavel Břoušek · 0396e916 · 5e2b386f · 5e2b386f · 5e2b386f
Verified Commit 5e2b386f authored 2 years ago by Pavel Břoušek
--- a/README.md
+++ b/README.md
@@ -149,7 +149,7 @@ example of mfaTokens:
 ]
 ```
-When MFA is run, if there is at least one MFA token which is not revoked and either `"mfaEnforce"` user attribute is set
+When MFA is run, if there is at least one MFA token which is not revoked and MFA should be done according to `"mfaEnforceSettings"`
 or MFA is preferred by SP (from `AuthnContext`), the `SwitchAuth` auth proc filter runs one of the configured supported
 2FA modules, decided by type of user's MFA tokens. If more than one token types are available, the 2FA method is decided
 by device type (TOTP is preferred for mobile devices, WebAuthn for desktops and laptops).
@@ -185,9 +185,9 @@ The last but very important requirement is that you need to modify SimpleSAMLphp
 ## Enforce MFA per user
-If a user should only use MFA, set `mfaEnforced` user attribute to a non-empty value. You can fill this attribute any way you like, for example from LDAP or from database.
+If a user should only use MFA, set `mfaEnforceSettings` user attribute to `{"all":true}`. You can fill this attribute any way you like, for example from LDAP or from a database.
-If the user has no MFA tokens and `mfaEnforced` is non-empty, it is ignored (to prevent lock-outs).
+If the user has no MFA tokens and `mfaEnforceSettings` is non-empty, it is ignored (to prevent lock-outs).
 When the attribute is not empty, multi-factor authentication is always performed. Because it is assumed that the first factor is always password based, when a SP requests `https://refeds.org/profile/sfa` or `PasswordProtectedTransport` specifically, MFA is performed but one of the requested authentication contexts is returned.
@@ -197,7 +197,7 @@ When used with proxy mode, MFA is not forced if it was already done at upstream
 If some user should use MFA for some services, set `mfaEnforceSettings` user attribute to one of the following JSON-encoded object types:
- `{"all":true}` to force MFA for all services (equivalent to mfaEnforced)
+- `{"all":true}` to force MFA for all services
 - `{"include_categories":["category1","category2"]}` to force MFA for all services from the listed categories
 - `{"include_categories":["category1","category2"],"exclude_rps":["entityID1","entityID2"]}` to force MFA for all services from the listed categories except services with entity ID `entityID1` and `entityID2`

--- a/lib/AuthSwitcher.php
+++ b/lib/AuthSwitcher.php
@@ -59,11 +59,6 @@ class AuthSwitcher
     */
    public const MFA_TOKENS = 'mfaTokens';
-    /**
-     * user attribute which contains boolean whether MFA should be enforced
-     */
-    public const MFA_ENFORCED = 'mfaEnforced';
    /**
     * user attribute which contains settings object for enforcing MFA
     */

--- a/lib/Utils.php
+++ b/lib/Utils.php
@@ -89,10 +89,6 @@ class Utils
            Logger::info(self::DEBUG_PREFIX . 'MFA was not forced by settings');
            return false;
        }
-        if (!empty($state['Attributes'][AuthSwitcher::MFA_ENFORCED])) {
-            Logger::info(self::DEBUG_PREFIX . 'MFA was forced for all services by mfaEnforced');
-            return true;
-        }
        Logger::info(self::DEBUG_PREFIX . 'MFA was not forced');
        return false;
    }