java.lang.Object
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
- - org.opensaml.profile.action.AbstractProfileAction
  - - org.opensaml.profile.action.AbstractConditionalProfileAction
    - - net.shibboleth.idp.profile.AbstractProfileAction
      - net.shibboleth.idp.authn.AbstractAuthenticationAction
        
        net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
```
public class TransitionMultiFactorAuthentication
extends AbstractAuthenticationAction
```
An authentication action that acts as the driver regulating execution of transitions between MFA stages.
This is the heart of the MFA processing sequence, and runs after the MultiFactorAuthenticationContext has been populated. It uses the current/previous flow and the transition rules to decide when to transition to a new flow, when work is complete, and the final event to signal in the event of a problem.

The execution of this function is driven by the MultiFactorAuthenticationTransition rule associated with the flow that was most recently executed by this engine. If none (such as during the first iteration), then the rule associated with a null flow ID is used. Failure to locate a transition to use is fatal, resulting in AuthnEventIds.NO_PASSIVE or AuthnEventIds.NO_POTENTIAL_FLOW.

Otherwise, a function is applied to obtain the "current" WebFlow event, and the event is applied to the transition's rule map to obtain the name of the next flow to run. A wildcard ('*') rule is used if a more specific rule isn't found.

If the transition signals a null/empty flow ID to run, then MultiFactorAuthenticationContext.getNextFlowId() is cleared to signal the MFA flow that it should complete itself. The result of the action is either MultiFactorAuthenticationContext.getEvent() (if set), or the current WebFlow event.

If a flow is returned, it is populated into the MultiFactorAuthenticationContext. The flow is checked for the "authn/" prefix, and a login flow is checked against the active result map to determine if it can be reused, in which case the action recurses itself. Otherwise EventIds.PROCEED_EVENT_IDis signaled to run that flow.

By default, login flow transitions are validated against the request's requirements in terms of passive, forced re-authn, and non-browser compatibility.
Event:

EventIds.PROCEED_EVENT_ID, EventIds.INVALID_PROFILE_CTX, AuthnEventIds.NO_PASSIVE, AuthnEventIds.NO_POTENTIAL_FLOW, AuthnEventIds.REQUEST_UNSUPPORTED, (any event signaled by another called flow)

Precondition:
```
ProfileRequestContext.getSubcontext(AuthenticationContext.class).getSubcontext(
      MultiFactorAuthenticationContext.class) != null
```
Postcondition:

See above.

Field Summary

Fields
Modifier and Type	Field	Description
`private Function<ProfileRequestContext,EventContext>`	`eventContextLookupStrategy`	Lookup function for current event context.
`private org.slf4j.Logger`	`log`	Class logger.
`private MultiFactorAuthenticationContext`	`mfaContext`	A subordinate `MultiFactorAuthenticationContext`, if any.
`private Function<ProfileRequestContext,MultiFactorAuthenticationContext>`	`multiFactorContextLookupStrategy`	Lookup function for the context to evaluate.
`private String`	`previousEvent`	Holds the last event processed by the system.
`private boolean`	`validateLoginTransitions`	Perform IsPassive, ForceAuthn, and non-browser checks when running login flows.

Constructor Summary

Constructors
Constructor Description

TransitionMultiFactorAuthentication()
Constructor.

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`protected void`	`doExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)`
`protected boolean`	`doPreExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)`
`private void`	`doTransition(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext, MultiFactorAuthenticationTransition transition)`	Respond to a signal to transition the MFA process to a new flow.
`void`	`setEventContextLookupStrategy(Function<ProfileRequestContext,EventContext> strategy)`	Set the lookup strategy to use for the current event context.
`void`	`setMultiFactorContextLookupStrategy(Function<ProfileRequestContext,MultiFactorAuthenticationContext> strategy)`	Set the lookup strategy to use for the context to evaluate.
`void`	`setValidateLoginTransitions(boolean flag)`	Set whether to validate transitions to a new login flow by evaluating the request and ensuring options like IsPassive and ForceAuthn are compatible with the flow.

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction
doExecute, doPreExecute, setAuthenticationContextLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction
doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction
getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction
doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent
initialize, isInitialized

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

multiFactorContextLookupStrategy

@Nonnull
private Function<ProfileRequestContext,MultiFactorAuthenticationContext> multiFactorContextLookupStrategy

Lookup function for the context to evaluate.

eventContextLookupStrategy

@Nonnull
private Function<ProfileRequestContext,EventContext> eventContextLookupStrategy

Lookup function for current event context.

validateLoginTransitions
```
private boolean validateLoginTransitions
```
Perform IsPassive, ForceAuthn, and non-browser checks when running login flows.

mfaContext

@Nullable
private MultiFactorAuthenticationContext mfaContext

A subordinate MultiFactorAuthenticationContext, if any.

previousEvent
```
@Nullable
private String previousEvent
```
Holds the last event processed by the system.

Constructor Detail
- TransitionMultiFactorAuthentication
```
TransitionMultiFactorAuthentication()
```
  Constructor.

Method Detail

setMultiFactorContextLookupStrategy

public void setMultiFactorContextLookupStrategy(@Nonnull
                                                Function<ProfileRequestContext,MultiFactorAuthenticationContext> strategy)

Set the lookup strategy to use for the context to evaluate.

Parameters:: strategy - lookup strategy

setEventContextLookupStrategy

public void setEventContextLookupStrategy(@Nonnull
                                          Function<ProfileRequestContext,EventContext> strategy)

Set the lookup strategy to use for the current event context.

Parameters:: strategy - lookup strategy

setValidateLoginTransitions
```
public void setValidateLoginTransitions(boolean flag)
```
Set whether to validate transitions to a new login flow by evaluating the request and ensuring options like IsPassive and ForceAuthn are compatible with the flow.
Defaults to 'true', override if your custom transition logic handles these issues.

Parameters:

flag - flag to set

doPreExecute

protected boolean doPreExecute(@Nonnull
                               ProfileRequestContext profileRequestContext,
                               @Nonnull
                               AuthenticationContext authenticationContext)

Overrides:: doPreExecute in class AbstractAuthenticationAction

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext,
                         @Nonnull
                         AuthenticationContext authenticationContext)

Overrides:: doExecute in class AbstractAuthenticationAction

doTransition

private void doTransition(@Nonnull
                          ProfileRequestContext profileRequestContext,
                          @Nonnull
                          AuthenticationContext authenticationContext,
                          @Nonnull
                          MultiFactorAuthenticationTransition transition)

Respond to a signal to transition the MFA process to a new flow.

Parameters:: profileRequestContext - profile request context; authenticationContext - authentication context; transition - transition rule to use

Class TransitionMultiFactorAuthentication

Field Summary

Constructor Summary

Method Summary

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

Methods inherited from class java.lang.Object

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

Field Detail

log

multiFactorContextLookupStrategy

eventContextLookupStrategy

validateLoginTransitions

mfaContext

previousEvent

Constructor Detail