Skip to content
Snippets Groups Projects
Unverified Commit b8b574bc authored by Pavel Břoušek's avatar Pavel Břoušek Committed by GitHub
Browse files

feat: set AuthnContext in proxy mode, MFA from upstream for maxUserCapability 

maxUserCapability is set if MFA was performed at upstream IdP
parent 95bdf5f3
Branches
Tags
1 merge request!36feat: set AuthnContext in proxy mode, MFA from upstream for maxUserCapability
Hide whitespace changes
Inline Side-by-side
lib/Auth/Process/SwitchAuth.php
+ 6
7
View file @ b8b574bc
...@@ -136,7 +136,7 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter ...@@ -136,7 +136,7 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
$performMFA = AuthnContextHelper::MFAin($usersCapabilities) && $shouldPerformMFA; $performMFA = AuthnContextHelper::MFAin($usersCapabilities) && $shouldPerformMFA;
$maxUserCapability = ''; $maxUserCapability = '';
if (in_array(AuthSwitcher::MFA, $usersCapabilities, true)) { if (in_array(AuthSwitcher::MFA, $usersCapabilities, true) || AuthnContextHelper::MFAin([$upstreamContext])) {
$maxUserCapability = AuthSwitcher::MFA; $maxUserCapability = AuthSwitcher::MFA;
} elseif (1 === count($usersCapabilities)) { } elseif (1 === count($usersCapabilities)) {
$maxUserCapability = $usersCapabilities[0]; $maxUserCapability = $usersCapabilities[0];
...@@ -144,17 +144,16 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter ...@@ -144,17 +144,16 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
$state['Attributes'][$this->max_user_capability_attr] = []; $state['Attributes'][$this->max_user_capability_attr] = [];
if ($performMFA) { if ($performMFA) {
// MFA
$this->performMFA($state, $maxUserCapability); $this->performMFA($state, $maxUserCapability);
} elseif (empty($upstreamContext)) { } else {
// SFA // SFA or MFA was done at upstream IdP
$this->setAuthnContext($state, $maxUserCapability); $this->setAuthnContext($state, $maxUserCapability, $upstreamContext);
} }
} }
public function setAuthnContext(&$state, $maxUserCapability) public function setAuthnContext(&$state, $maxUserCapability, $upstreamContext = null)
{ {
$mfaPerformed = Utils::wasMFAPerformed($state); $mfaPerformed = Utils::wasMFAPerformed($state, $upstreamContext);
if (AuthSwitcher::SFA === $maxUserCapability || (AuthSwitcher::MFA === $maxUserCapability && $mfaPerformed)) { if (AuthSwitcher::SFA === $maxUserCapability || (AuthSwitcher::MFA === $maxUserCapability && $mfaPerformed)) {
$state['Attributes'][$this->max_user_capability_attr][] = $this->max_auth; $state['Attributes'][$this->max_user_capability_attr][] = $this->max_auth;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment