从Shibboleth IDP 3 MFA流中的先前身份验证中获取用户属性

Question

I'm trying to build a two factor authentication flow for shibboleth idp 3. It's set up with the MFA flow with an initial ldap authentication and then my 2FA flow, which is based on the external authn flow.

How can I get user data from the previous ldap flow in my servlet? It seems like request.getAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY) etc. is not set yet. The docs say that LDAP attributes are returned as part of the authentication process and exposed in the LDAPResponseContext . How can I access the context in my servlet?

I also tried to use an attribute-resolver to release a specific value from the AD user profile, but I was not able to find those values in my servlet. Any ideas?

Answer 1

I figured it out, maybe someone else finds it helpful:

The password flow populates the c14n context with the principal name, which is enough for me. To get the principal name in a servlet:

protected void doGet(final HttpServletRequest request, final HttpServletResponse response) throws ServletException {
        try {
            String authenticationKey = ExternalAuthentication.startExternalAuthentication(request);

            // get userPrincipalName of previous authn
            final ProfileRequestContext profileRequestContext = ExternalAuthentication.getProfileRequestContext(authenticationKey, request);
            final SubjectCanonicalizationContext c14nContext = profileRequestContext.getSubcontext(SubjectCanonicalizationContext.class);
            if (c14nContext != null && c14nContext.getPrincipalName() != null) {
                usernameShib = c14nContext.getPrincipalName();
                //Subject subjectShib = c14nContext.getSubject();
                logger.info(usernameShib);
            }
        //...
}