Hello,
I'm trying to set up a prototype for a SAML 2.0 scenario. The set up includes NW SSO as the SAML Identity Provider and a NW 7.4 Server as the Service Provider. One of the requirement is to have multi-factor authentication during the user authentication, which means that basic password check must be followed by a one time password (OTP) check as well. For this OTP check, we have a specific login module which in a regular authentication (non SAML) scenario works fine as part of an authentication stack.
For the SAML 2.0 scenario, this OTP login module has been assigned to a custom authentication context on the IDP side. The SP's SAML policy has been configured to request this additional auth. context as well. During the SAML authentication, this OTP login module gets called, so that auth. context part of the set up looks correct.
The issue I'm facing is that there is no way to specify the flag for these login modules in the SAML 2.0 scenario, I'd like to set one to 'REQUIRED', and the other one to 'REQUISITE'. SAP NW SSO calls all login modules that are part of the requested authentication context with the 'SUFFICIENT' flag, if any of them is successful, the login will be allowed. So, if I specify a wrong password with a correct OTP, it will let me in or if I specify a correct password with no or incorrect OTP, it will let me in as well.
Class SAML2AuthnContextLoginModule does the processing of these authentication contexts but I don't see any way how it could be influenced to read the flags for those login modules from somewhere or to specify a stack for the contexts similar how the regular auth. stacks can be defined.
Has anybody faced the same issue or been able to resolve it? Any suggestion is welcome.
Thank you,
David