Package net.shibboleth.idp.authn.impl

Class TransitionMultiFactorAuthentication

java.lang.Object
net.shibboleth.shared.component.AbstractInitializableComponent
org.opensaml.profile.action.AbstractProfileAction
org.opensaml.profile.action.AbstractConditionalProfileAction
net.shibboleth.idp.profile.AbstractProfileAction
net.shibboleth.idp.authn.AbstractAuthenticationAction
net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication
All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
public class TransitionMultiFactorAuthentication extends AbstractAuthenticationAction
An authentication action that acts as the driver regulating execution of transitions between MFA stages.

This is the heart of the MFA processing sequence, and runs after the MultiFactorAuthenticationContext has been populated. It uses the current/previous flow and the transition rules to decide when to transition to a new flow, when work is complete, and the final event to signal in the event of a problem.

The execution of this function is driven by the MultiFactorAuthenticationTransition rule associated with the flow that was most recently executed by this engine. If none (such as during the first iteration), then the rule associated with a null flow ID is used. Failure to locate a transition to use is fatal, resulting in AuthnEventIds.NO_PASSIVE or AuthnEventIds.NO_POTENTIAL_FLOW.

Otherwise, a function is applied to obtain the "current" WebFlow event, and the event is applied to the transition's rule map to obtain the name of the next flow to run. A wildcard ('*') rule is used if a more specific rule isn't found.

If the transition signals a null/empty flow ID to run, then MultiFactorAuthenticationContext.getNextFlowId() is cleared to signal the MFA flow that it should complete itself. The result of the action is either MultiFactorAuthenticationContext.getEvent() (if set), or the current WebFlow event.

If a flow is returned, it is populated into the MultiFactorAuthenticationContext. The flow is checked for the "authn/" prefix, and a login flow is checked against the active result map to determine if it can be reused, in which case the action recurses itself. Otherwise EventIds.PROCEED_EVENT_IDis signaled to run that flow.

By default, login flow transitions are validated against the request's requirements in terms of passive, forced re-authn, and non-browser compatibility.

Event:
EventIds.PROCEED_EVENT_ID, EventIds.INVALID_PROFILE_CTX, AuthnEventIds.NO_PASSIVE, AuthnEventIds.NO_POTENTIAL_FLOW, AuthnEventIds.REQUEST_UNSUPPORTED, (any event signaled by another called flow)
Precondition:
ProfileRequestContext.getSubcontext(AuthenticationContext.class).getSubcontext(
      MultiFactorAuthenticationContext.class) != null
Postcondition:
See above.

  • Field Details

  • Constructor Details

    • TransitionMultiFactorAuthentication

      TransitionMultiFactorAuthentication()
      Constructor.

  • Method Details

    • setMultiFactorContextLookupStrategy

      public void setMultiFactorContextLookupStrategy(@Nonnull Function<ProfileRequestContext,MultiFactorAuthenticationContext> strategy)
      Set the lookup strategy to use for the context to evaluate.
      Parameters:
      strategy - lookup strategy

    • setEventContextLookupStrategy

      public void setEventContextLookupStrategy(@Nonnull Function<ProfileRequestContext,EventContext> strategy)
      Set the lookup strategy to use for the current event context.
      Parameters:
      strategy - lookup strategy

    • setValidateLoginTransitions

      public void setValidateLoginTransitions(boolean flag)
      Set whether to validate transitions to a new login flow by evaluating the request and ensuring options like IsPassive and ForceAuthn are compatible with the flow.

      Defaults to 'true', override if your custom transition logic handles these issues.

      Parameters:
      flag - flag to set

    • doPreExecute

      protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action's pre-execute step. Default implementation just returns true.
      Overrides:
      doPreExecute in class AbstractAuthenticationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context
      Returns:
      true iff execution should continue

    • doExecute

      protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action. Default implementation throws an exception.
      Overrides:
      doExecute in class AbstractAuthenticationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context

    • doTransition

      private void doTransition(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull MultiFactorAuthenticationTransition transition)
      Respond to a signal to transition the MFA process to a new flow.
      Parameters:
      profileRequestContext - profile request context
      authenticationContext - authentication context
      transition - transition rule to use