Library to integrate a step-up authentication via second factor for Shibboleth Identity Provider (IDP) version 3. This is kind of discontinued. It works with IDP v4 and v5 with the branches idp-4 and idp-5. But is is not really supported and doesn't follow the new plugin/module architecture of the Shibboleth IDP. Only use, if you know what you are doing. If you are looking into implementing 2fa with shibboleth, please have a look at eduMFA (https://github.com/eduMFA/eduMFA) and the FUDISCR plugin (https://doku.tid.dfn.de/en:shibidp:plugin-fudiscr). These will be better maintained.
Checkout or clone the repository. Build the repository with Maven. A simple mvn package should be sufficient.
- Copy the resulting jar (shib-2fa-.jar) to your Shibboleth library folder. Depending on the deployment process of your shibboleth installation, this step can vary. If you are using an unpacked war file, you have to copy the file to the
{idp.home}/war/WEB-INF/libfolder. - Copy
src/main/resources/conf/authn/linotp-authn-*to{idp.home}/conf/authn/ - Copy
src/main/resources/flows/authn/linotpto{idp.home}/flows/authn/ - Copy
src/main/resources/views/linotp.vmto{idp.home}/views/
Edit your conf/authn/general-authn.xml and add the linotp authentication method there. Change the <CONTEXT_CLASS> to something useful, that will reflect your needs. For example: https://<your-org>/auth/2fa. Service Providers will have to use this string, if they want to use step-up authentication.
<util:list id="shibboleth.AvailableAuthenticationFlows">
<bean id="authn/linotp" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="<CONTEXT_CLASS>" />
</list>
</property>
</bean>
....
</util:list>Alter your conf/idp.properties file and add the authentication method you just created. Don't just alter the lines completely, just append the new method with a pipe (|) sign. Don't damage your existing configuration.
# Regular expression matching login flows to enable, e.g. IPAddress|Password
idp.authn.flows = Password|linotp
# Regular expression of forced "initial" methods when no session exists,
# usually in conjunction with the idp.authn.resolveAttribute property below.
idp.authn.flows.initial = Password
Also add the following configuration values:
linotp.Host = <your linotp host>
linotp.Serviceuser = <service user>
linotp.Servicepassword = <password>
linotp.Checkcert = <true: check DN of certificate match>
linotp.CreateEmailToken = <true: create an e-mail token, if user has no tokens yet (for testing)>
You will most probably need to customize the linotp.vm view to reflect your IDP design.
You can find an example for using the Two factor method with a standard Shibboleth SP in the folder example-webpage. See ExamplePage wiki for details.