Start POC to test GSSP bypass flow

pablothedude · pablothedude · commit 3767e04026de · 2025-05-12T10:21:46.000+02:00
diff --git a/config/openconext/parameters.yaml.dist b/config/openconext/parameters.yaml.dist
@@ -180,3 +180,14 @@ parameters:
     #
     # Example value: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
     sso_encryption_key: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
+
+    # The GSSP ID from samlstepupproviders.yaml to use as fallback GSSP
+    # Set fallback_gssp to false to disable the fallback_gssp functionality
+    # fallback_gssp: false
+    fallback_gssp: 'azuremfa'
+
+    # The user attribute to use in the Subject of the AuthnRequest to the fallback GSSP
+    fallback_gssp_subject_attribute: 'urn:mace:dir:attribute-def:mail'
+
+    # The user attribute to use to determine the user's home institution
+    fallback_gssp_institution_attribute: 'urn:mace:terena.org:attribute-def:schacHomeOrganization'
diff --git a/src/Surfnet/StepupGateway/GatewayBundle/Controller/SecondFactorController.php b/src/Surfnet/StepupGateway/GatewayBundle/Controller/SecondFactorController.php
@@ -158,13 +158,19 @@ public function selectSecondFactorForVerification(
                 // todo: handle sso registration bypass.
                 if ($authenticationMode === self::MODE_SFO) {
                     // - the user does not have an active token
-                    // - a LoA1.5 (i.e. self asserted) authentication is requested
 
+                    // - a LoA1.5 (i.e. self asserted) authentication is requested
                     // - a fallback GSSP is configured
                     // - this "fallback" option is enabled for the institution that the user belongs to.
-
                     // - the configured user attribute is present in the AuthnRequest
                     // - handle authentication by forwarding it to a designated GSSP using the GSSP protocol instead of returning an error.
+
+//                    var_dump($requiredLoa);
+//                    die();
+
+                    $secondFactor = SecondFactor::create('gssp_fallback', 'azuremfa', '');
+                    return $this->selectAndRedirectTo($secondFactor, $context, $authenticationMode);
+
                 }
 
                 return $this->forward(
@@ -351,6 +357,23 @@ public function verifyGssf(Request $request): Response
         /** @var SecondFactorService $secondFactorService */
         $secondFactorService = $this->get('gateway.service.second_factor_service');
         /** @var SecondFactor $secondFactor */
+
+        if ($selectedSecondFactor === 'gssp_fallback') {
+            // Also send the response context service id, as later we need to know if this is regular SSO or SFO authn.
+            $responseContextServiceId = $context->getResponseContextServiceId();
+
+            return $this->forward(
+                SamlProxyController::class . '::sendSecondFactorVerificationAuthnRequest',
+                [
+                    'provider' => 'azuremfa',
+                    'subjectNameId' => 'jane-a1@institution-a.example.com',
+                    'responseContextServiceId' => $responseContextServiceId,
+                    'relayState' => $context->getRelayState(),
+                ],
+            );
+
+        }
+
         $secondFactor = $secondFactorService->findByUuid($selectedSecondFactor);
         if (!$secondFactor) {
             throw new RuntimeException(
@@ -389,7 +412,19 @@ public function gssfVerified(Request $request): Response
 
         $selectedSecondFactor = $this->getSelectedSecondFactor($context, $logger);
 
-        /** @var SecondFactor $secondFactor */
+        if ($selectedSecondFactor === 'gssp_fallback') {
+//            $this->getAuthenticationLogger()->logSecondFactorAuthentication($originalRequestId, $authenticationMode);
+            $context->markSecondFactorVerified();
+
+            $logger->info(sprintf(
+                'Marked GSSF "%s" as verified, forwarding to Gateway controller to respond',
+                $selectedSecondFactor,
+            ));
+
+            return $this->forward($context->getResponseAction());
+        }
+
+            /** @var SecondFactor $secondFactor */
         $secondFactor = $this->get('gateway.service.second_factor_service')->findByUuid($selectedSecondFactor);
         if (!$secondFactor) {
             throw new RuntimeException(
diff --git a/src/Surfnet/StepupGateway/GatewayBundle/Entity/SecondFactor.php b/src/Surfnet/StepupGateway/GatewayBundle/Entity/SecondFactor.php
@@ -118,6 +118,15 @@ final private function __construct()
     {
     }
 
+    public static function create(string $id, string $type, string $displayLocale)
+    {
+        $sf = new self();
+        $sf->secondFactorId = $id;
+        $sf->secondFactorType = $type;
+        $sf->displayLocale = $displayLocale;
+        return $sf;
+    }
+
     public function canSatisfy(Loa $loa, SecondFactorTypeService $service): bool
     {
         $secondFactorType = new SecondFactorType($this->secondFactorType);
diff --git a/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Service/Gateway/RespondService.php b/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Service/Gateway/RespondService.php
@@ -101,11 +101,17 @@ public function respond(ResponseContext $responseContext, Request $request)
             );
         }
 
-        $secondFactor = $this->secondFactorService->findByUuid($selectedSecondFactorUuid);
-        $this->responseValidator->validate($request, $secondFactor, $responseContext->getIdentityNameId());
+
+        $loaLevel = 1.5;
+        if ($selectedSecondFactorUuid !== 'gssp_fallback') {
+            $secondFactor = $this->secondFactorService->findByUuid($selectedSecondFactorUuid);
+            $this->responseValidator->validate($request, $secondFactor, $responseContext->getIdentityNameId());
+
+            $loaLevel = $secondFactor->getLoaLevel($this->secondFactorTypeService);
+        }
 
         $grantedLoa = $this->loaResolutionService
-            ->getLoaByLevel($secondFactor->getLoaLevel($this->secondFactorTypeService));
+            ->getLoaByLevel($loaLevel);
 
         $authnContextClassRef = $this->loaAliasLookupService->findAliasByLoa($grantedLoa);
 
diff --git a/tests/features/sfo-registration-bypass.feature b/tests/features/sfo-registration-bypass.feature
@@ -1,7 +1,7 @@
-#@functional
-Feature: As an institution that uses the second factor only feature
+@functional
+Feature: As an institution that uses the registration bypass feature
   In order to do second factor authentications
-  I must be able to successfully authenticate with my second factor tokens
+  I must be able to successfully authenticate with my second factor tokens without prior registration
 
   Scenario: A Yubikey SFO authentication
     Given an SFO enabled SP with EntityID https://ssp.dev.openconext.local/module.php/saml/sp/metadata.php/second-sp

Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,15 @@ final private function __construct()`
`118`	`118`	`{`
`119`	`119`	`}`
`120`	`120`
	`121`	`+ public static function create(string $id, string $type, string $displayLocale)`
	`122`	`+ {`
	`123`	`+ $sf = new self();`
	`124`	`+ $sf->secondFactorId = $id;`
	`125`	`+ $sf->secondFactorType = $type;`
	`126`	`+ $sf->displayLocale = $displayLocale;`
	`127`	`+ return $sf;`
	`128`	`+ }`
	`129`	`+`
`121`	`130`	`public function canSatisfy(Loa $loa, SecondFactorTypeService $service): bool`
`122`	`131`	`{`
`123`	`132`	`$secondFactorType = new SecondFactorType($this->secondFactorType);`