flow authn/privacyIDEA parameters/capabilities configuration

[ttunturi]

Hello,

I've installed the plugin on IdP5 and the basic functionality is there. How do I configure the parameters/capabilities of the auth flow itself in the IdP? Things like order (not necessary with the MFA flow), nonBrowserSupported, passiveAuthenticationSupported, forcedAuthenticationSupported, addDefaultPrincipals and supportedPrincipals?

The first issue I ran into was about supportedPrincipals. If a service asks for a mfa-specific authnContextClassRef the auth request can never be satisfied unless the authn/privacyIDEA flow is configured to be supporting said authnContextClassRef.

The other stuff like nonBrowserSupported, passiveAuthenticationSupported and forcedAuthenticationSupported are used by the IdP itself to determine whether an auth flow can even potentially fulfill an auth request. So should any custom mfa flow defined by the admin check those things.

-- Timo

Edit: Looking at postconfig.xml inside the impl package gave an idea how to do those things. I'll leave this idea up here, anyway, as it would probably be good to document at some point.

Edit2: Authentication does not work if the SP requests a specific authnContextClassRef. It seems that supportedPrincipals are loaded correctly into the privacyIDEA authn flow descriptor but the principals are not added to the Subject after the authn flow has successfully ran (addDefaultPrincipals).

[lollo1964]

Hi,
I am very grateful for your work on the PrivacyIdea plugin. I have the same problem as ttunturi. I am curious as to how this is going? Have you had the time to look into this?

/Per-Olof