TransitionMultiFactorAuthentication (Shibboleth IdP :: Authentication Implementation 3.4.1 API)

java.lang.Object
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
- - org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>
  - - org.opensaml.profile.action.AbstractConditionalProfileAction<InboundMessageType,OutboundMessageType>
    - - net.shibboleth.idp.profile.AbstractProfileAction<InboundMessageType,OutboundMessageType>
      - net.shibboleth.idp.authn.AbstractAuthenticationAction
        
        net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, org.springframework.beans.factory.Aware, org.springframework.context.MessageSource, org.springframework.context.MessageSourceAware, org.springframework.webflow.execution.Action
```
public class TransitionMultiFactorAuthentication
extends AbstractAuthenticationAction
```
An authentication action that acts as the master evaluation step regulating execution of transitions between MFA stages.
This is the heart of the MFA processing sequence, and runs after the MultiFactorAuthenticationContext has been populated. It uses the current/previous flow and the transition rules to decide when to transition to a new flow, when work is complete, and the final event to signal in the event of a problem.

The execution of this function is driven by the MultiFactorAuthenticationTransition rule associated with the flow that was most recently executed by this engine. If none (such as during the first iteration), then the rule associated with a null flow ID is used. Failure to locate a transition to use is fatal, resulting in AuthnEventIds.NO_PASSIVE or AuthnEventIds.NO_POTENTIAL_FLOW.

Otherwise, a function is applied to obtain the "current" WebFlow event, and the event is applied to the transition's rule map to obtain the name of the next flow to run. A wildcard ('*') rule is used if a more specific rule isn't found.

If the transition signals a null/empty flow ID to run, then MultiFactorAuthenticationContext.getNextFlowId() is cleared to signal the MFA flow that it should complete itself. The result of the action is either MultiFactorAuthenticationContext.getEvent() (if set), or the current WebFlow event.

If a flow is returned, it is populated into the MultiFactorAuthenticationContext. The flow is checked for the "authn/" prefix, and a login flow is checked against the active result map to determine if it can be reused, in which case the action recurses itself. Otherwise EventIds.PROCEED_EVENT_IDis signaled to run that flow.

By default, login flow transitions are validated against the request's requirements in terms of passive, forced re-authn, and non-browser compatibility.
Event:

EventIds.PROCEED_EVENT_ID, EventIds.INVALID_PROFILE_CTX, AuthnEventIds.NO_PASSIVE, AuthnEventIds.NO_POTENTIAL_FLOW, AuthnEventIds.REQUEST_UNSUPPORTED, (any event signaled by another called flow)

Precondition:
```
ProfileRequestContext.getSubcontext(AuthenticationContext.class).getSubcontext(
      MultiFactorAuthenticationContext.class) != null
```
Postcondition:

See above.

Field Summary

Fields
Modifier and Type	Field and Description
`private com.google.common.base.Function<ProfileRequestContext,EventContext>`	`eventContextLookupStrategy` Lookup function for current event context.
`private org.slf4j.Logger`	`log` Class logger.
`private MultiFactorAuthenticationContext`	`mfaContext` A subordinate `MultiFactorAuthenticationContext`, if any.
`private com.google.common.base.Function<ProfileRequestContext,MultiFactorAuthenticationContext>`	`multiFactorContextLookupStrategy` Lookup function for the context to evaluate.
`private boolean`	`validateLoginTransitions` Perform IsPassive, ForceAuthn, and non-browser checks when running login flows.

Constructor Summary

Constructors
Constructor and Description

TransitionMultiFactorAuthentication()
Constructor.

Constructors
Constructor and Description
`TransitionMultiFactorAuthentication()` Constructor.

Method Summary

Methods
Modifier and Type	Method and Description
`protected void`	`doExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)`
`protected boolean`	`doPreExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)`
`private void`	`doTransition(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext, MultiFactorAuthenticationTransition transition)` Respond to a signal to transition the MFA process to a new flow.
`void`	`setEventContextLookupStrategy(com.google.common.base.Function<ProfileRequestContext,EventContext> strategy)` Set the lookup strategy to use for the current event context.
`void`	`setMultiFactorContextLookupStrategy(com.google.common.base.Function<ProfileRequestContext,MultiFactorAuthenticationContext> strategy)` Set the lookup strategy to use for the context to evaluate.
`void`	`setValidateLoginTransitions(boolean flag)` Set whether to validate transitions to a new login flow by evaluating the request and ensuring options like IsPassive and ForceAuthn are compatible with the flow.

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction
doExecute, doPreExecute, setLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction
doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction
getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction
doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent
initialize, isInitialized

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

multiFactorContextLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,MultiFactorAuthenticationContext> multiFactorContextLookupStrategy

Lookup function for the context to evaluate.

eventContextLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,EventContext> eventContextLookupStrategy

Lookup function for current event context.

validateLoginTransitions
```
private boolean validateLoginTransitions
```
Perform IsPassive, ForceAuthn, and non-browser checks when running login flows.

mfaContext

@Nullable
private MultiFactorAuthenticationContext mfaContext

A subordinate MultiFactorAuthenticationContext, if any.

Constructor Detail
- TransitionMultiFactorAuthentication
```
TransitionMultiFactorAuthentication()
```
  Constructor.

Method Detail

setMultiFactorContextLookupStrategy

public void setMultiFactorContextLookupStrategy(@Nonnull
                                       com.google.common.base.Function<ProfileRequestContext,MultiFactorAuthenticationContext> strategy)

Set the lookup strategy to use for the context to evaluate.

Parameters:: strategy - lookup strategy

setEventContextLookupStrategy

public void setEventContextLookupStrategy(@Nonnull
                                 com.google.common.base.Function<ProfileRequestContext,EventContext> strategy)

Set the lookup strategy to use for the current event context.

Parameters:: strategy - lookup strategy

setValidateLoginTransitions
```
public void setValidateLoginTransitions(boolean flag)
```
Set whether to validate transitions to a new login flow by evaluating the request and ensuring options like IsPassive and ForceAuthn are compatible with the flow.
Defaults to 'true', override if your custom transition logic handles these issues.

Parameters:
flag - flag to set

doPreExecute

protected boolean doPreExecute(@Nonnull
                   ProfileRequestContext profileRequestContext,
                   @Nonnull
                   AuthenticationContext authenticationContext)

Overrides:: doPreExecute in class AbstractAuthenticationAction

doExecute

protected void doExecute(@Nonnull
             ProfileRequestContext profileRequestContext,
             @Nonnull
             AuthenticationContext authenticationContext)

Overrides:: doExecute in class AbstractAuthenticationAction

doTransition

private void doTransition(@Nonnull
                ProfileRequestContext profileRequestContext,
                @Nonnull
                AuthenticationContext authenticationContext,
                @Nonnull
                MultiFactorAuthenticationTransition transition)

Respond to a signal to transition the MFA process to a new flow.

Parameters:: profileRequestContext - profile request context; authenticationContext - authentication context; transition - transition rule to use

Class TransitionMultiFactorAuthentication

Field Summary

Constructor Summary

Method Summary

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

Methods inherited from class java.lang.Object

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent