OpenConext · pablothedude · May 27, 2025 · May 8, 2025
diff --git a/stepup/docker-compose.yml b/stepup/docker-compose.yml
@@ -17,6 +17,7 @@ services:
           - demogssp.dev.openconext.local
           - webauthn.dev.openconext.local
           - tiqr.dev.openconext.local
+          - azuremfa.dev.openconext.local
           - mailcatcher.dev.openconext.local
     hostname: haproxy.docker
 

diff --git a/stepup/middleware/middleware-institution.json b/stepup/middleware/middleware-institution.json
@@ -16,6 +16,7 @@
     "number_of_tokens_per_identity": 2,
     "self_vet": true,
     "sso_on_2fa": true,
+    "sso_registration_bypass": true,
     "allow_self_asserted_tokens": true
   },
   "institution-b.example.com": {

diff --git a/stepup/tests/behat/features/bootstrap/SecondFactorAuthContext.php b/stepup/tests/behat/features/bootstrap/SecondFactorAuthContext.php
@@ -77,6 +77,17 @@ public function configureServiceProviderForSecondFactorOnly()
         $this->requiredLoa = 2;
     }
 
+    /**
+     * @Given a service provider configured for second-factor-only with loa 1.5
+     */
+    public function configureServiceProviderForSecondFactorOnlyLoa1_5()
+    {
+        $this->activeIdp = self::SFO_IDP;
+        $this->activeSp = self::SFO_SP;
+        $this->requiredLoa = 1.5;
+    }
+
+
     /**
      * @Given a service provider configured for single-signon
      */
@@ -109,6 +120,23 @@ public function visitServiceProvider()
         }
     }
 
+    /**
+     * @When I start an SFO authentication for :arg1 with GSSP extension subject :arg2 and institution :arg3
+     */
+    public function startASfoAuthenticationWithGsspExtension(string $userIdentifier, string $subject, string $institution)
+    {
+        $this->minkContext->visit($this->spTestUrl);
+        $this->minkContext->fillField('idp', $this->activeIdp);
+        $this->minkContext->fillField('sp', $this->activeSp);
+        $this->minkContext->fillField('loa', $this->requiredLoa);
+        $this->minkContext->fillField('subject', $userIdentifier);
+
+        $this->minkContext->fillField('email_extension', $subject);
+        $this->minkContext->fillField('sho_extension', $institution);
+
+        $this->minkContext->pressButton('Login');
+    }
+
     /**
      * @When I start an SFO authentication for :arg1
      */
@@ -197,6 +225,45 @@ public function verifySpecifiedSecondFactor($tokenType, $smsChallenge = null)
         }
     }
 
+    /**
+     * @When I verify the azuremfa gssp second factor with email address :arg1
+     */
+    public function authenticateUserInAzureMfaGsspApplication($emailAddress)
+    {
+        $this->minkContext->assertPageAddress('https://azuremfa.dev.openconext.local/mock/sso');
+
+        // Fill test attributes on demo page
+        $attributes = sprintf('[
+            {
+                "name": "urn:mace:dir:attribute-def:mail",
+                "value": [
+                    "%s"
+                ]
+            },
+            {
+                "name": "http://schemas.microsoft.com/claims/authnmethodsreferences",
+                "value": [
+                    "http://schemas.microsoft.com/claims/multipleauthn"
+                ]
+            }
+        ]', $emailAddress);
+
+        $this->minkContext->fillField('attributes', $attributes);
+        $this->minkContext->pressButton('success');
+
+        // Submit assertion
+        $this->minkContext->assertPageAddress('https://azuremfa.dev.openconext.local/mock/sso');
+        $this->minkContext->pressButton('Submit assertion');
+
+        // Pass through the 'return to sp' redirection page.
+        $this->minkContext->assertPageAddress('https://azuremfa.dev.openconext.local/saml/sso_return');
+        $this->minkContext->pressButton('Submit');
+
+        // And continue back to the SP via Gateway
+        $this->minkContext->assertPageAddress('https://gateway.dev.openconext.local/gssp/azuremfa/consume-assertion');
+        $this->minkContext->pressButton('Submit');
+    }
+
     /**
      * @When I verify the Yubikey second factor
      */
@@ -222,6 +289,9 @@ public function cancelSecondFactorAuthentication($tokenType)
             case "demo-gssp":
                 $this->cancelAuthenticationInDummyGsspApplication();
                 break;
+            case "azuremfa-gssp":
+                $this->cancelAuthenticationInAzureMfaGsspApplication();
+                break;
             default:
                 throw new Exception(
                     sprintf(
@@ -315,6 +385,22 @@ public function cancelAuthenticationInDummyGsspApplication()
         $this->minkContext->pressButton('Submit');
     }
 
+    public function cancelAuthenticationInAzureMfaGsspApplication()
+    {
+        $this->minkContext->assertPageAddress('https://azuremfa.dev.openconext.local/mock/sso');
+        // Cancel the dummy authentication action.
+        $this->minkContext->pressButton('user-cancelled');
+
+        // Pass through the gssp
+        $this->minkContext->pressButton('Submit');
+
+        // Pass through the Gateway
+        $this->minkContext->pressButton('Submit');
+
+        // Pass through the SP
+        $this->minkContext->pressButton('Submit');
+    }
+
     public function cancelYubikeySsoAuthentication()
     {
         switch ($this->activeSp) {

diff --git a/stepup/tests/behat/features/ra_insitution-configuration.feature b/stepup/tests/behat/features/ra_insitution-configuration.feature
@@ -10,6 +10,7 @@ Feature: A RAA can view the institution configuration
                 "verify_email": true,
                 "self_vet": true,
                 "sso_on_2fa": true,
+                "sso_registration_bypass": true,
                 "allow_self_asserted_tokens": true,
                 "allowed_second_factors": [],
                 "number_of_tokens_per_identity": 2
@@ -42,6 +43,7 @@ Feature: A RAA can view the institution configuration
         | Show RAA contact information?                                                              | Yes                              |
         | E-mail verification enabled?                                                               | Yes                              |
         | Single sign on on second factor authentications?                                           | Yes                               |
+        | Single sign on registration bypass?                                                        | Yes                               |
         | Token activation using an activated token                                                  | Allowed                      |
         | Activate a token without the service desk or an activated token                            | Allowed                      |
         | Allowed second factor tokens                                                               | All enabled tokens are available |
@@ -57,6 +59,7 @@ Feature: A RAA can view the institution configuration
         | Show RAA contact information?                                                              | No                               |
         | E-mail verification enabled?                                                               | No                               |
         | Single sign on on second factor authentications?                                           | No                               |
+        | Single sign on registration bypass?                                                        | No                               |
         | Token activation using an activated token                                                  | Not allowed                      |
         | Activate a token without the service desk or an activated token                            | Not allowed                      |
         | Allowed second factor tokens                                                               | sms                              |

diff --git a/stepup/tests/behat/features/sfo_gssp_fallback.feature b/stepup/tests/behat/features/sfo_gssp_fallback.feature
@@ -0,0 +1,17 @@
+Feature: A user authenticates with a service provider configured for second-factor-only
+  In order to login on a service provider
+  As a user
+  I must verify the second factor without authenticating with an identity provider
+
+  Scenario: A user logs in using SFO using a GSSP token
+    Given a service provider configured for second-factor-only with loa 1.5
+    And a user "jane-a1" identified by "urn:collab:person:institution-a.example.com:jane-a1" from institution "institution-a.example.com" with UUID "00000000-0000-4000-8000-000000000001"
+    When I start an SFO authentication for "urn:collab:person:institution-a.example.com:jane-a1" with GSSP extension subject "jane-a1@institution-a.example.com" and institution "institution-a.example.com"
+    And I verify the azuremfa gssp second factor with email address "jane-a1@institution-a.example.com"
+    Then I am logged on the service provider
+
+  Scenario: A user cancels SFO authn with a gssp token
+    Given a service provider configured for second-factor-only with loa 1.5
+    When I start an SFO authentication for "urn:collab:person:institution-a.example.com:jane-a1" with GSSP extension subject "jane-a1@institution-a.example.com" and institution "institution-a.example.com"
+      And I cancel the "azuremfa-gssp" second factor authentication
+    Then I see an error at the service provider
diff --git a/stepup/tests/behat/fixtures/middleware-institution.json b/stepup/tests/behat/fixtures/middleware-institution.json
@@ -16,6 +16,7 @@
     "number_of_tokens_per_identity": 2,
     "self_vet": true,
     "sso_on_2fa": true,
+    "sso_registration_bypass": true,
     "allow_self_asserted_tokens": true
   },
   "institution-b.example.com": {