Skip to content

Commit

Permalink
Add a $saml2{twoFAOnlyWithBypass} option.
Browse files Browse the repository at this point in the history
This option is for the case that the identity provider offers multi
factor authentication, and yet the $saml2{bypass_query} is also
allowed.  In this case you would not want webwork2's two factor
authentication to be used when signing in via the identity provider.
However, two factor authentication should be used if the bypass query is
used.  Setting $saml2{twoFAOnlyWithBypass} to 1 makes it so that
webwork2's two factor authentication is skipped for users signing in via
the identity provider, but still required for users signing in with a
username/password. If this is set to 0, then webwork2's two factor
authentication will always be required.
  • Loading branch information
drgrice1 committed Nov 13, 2024
1 parent 84a94d4 commit edc0477
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 8 deletions.
26 changes: 18 additions & 8 deletions conf/authen_saml2.conf.dist
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,12 @@ $authen{admin_module} = [
'WeBWorK::Authen::Saml2'
];

# This URL query parameter can be added to the end of a course url to skip the
# saml2 authentication module and go to the next one, for example,
# http://your.school.edu/webwork2/courseID?bypassSaml2=1. Comment out the next
# line to disable this feature.
$saml2{bypass_query} = 'bypassSaml2';

# Note that Saml2 authentication can be used in conjunction with webwork's two
# factor authentication. If the identity provider does not provide two factor
# authentication, then it is recommended that you DO use webwork's two factor
Expand All @@ -33,11 +39,15 @@ $authen{admin_module} = [
# authentication. The two factor authentication settings are set in
# localOverrides.conf.

# This URL query parameter can be added to the end of a course url to skip the
# saml2 authentication module and go to the next one, for example,
# http://your.school.edu/webwork2/courseID?bypassSaml2=1. Comment out the next
# line to disable this feature.
$saml2{bypass_query} = 'bypassSaml2';
# As noted above, if the identity provider offers two factor authentication,
# then you would not want webwork2's two factor authentication to be used at the
# same time. However, if the bypass parameter is allowed, you should still
# enable two factor authentication in that case. If this is the case, then set
# $saml2{twoFAOnlyWithBypass} to 1. This will skip webwork2's two factor
# authentication for users signing in via the identity provider, but still
# require it for users signing in with a username/password. If this is set to 0,
# then webwork2's two factor authentication will always be required.
$saml2{twoFAOnlyWithBypass} = 0;

# If $external_auth is 1, and the authentication sequence reaches
# Basic_TheLastOption, then the webwork login screen will show a message
Expand Down Expand Up @@ -104,9 +114,9 @@ $saml2{sp}{attributes} = [
# The files saml.crt and saml.pem that are generated contain the public
# "certificate" and the "private_key", respectively.
# Note that if the files are placed within the root webwork2 app directory, then
# the paths may be given relative to the the root webwork2 app directory.
# Otherwise the absolute path must be given. Make sure that the webwork2 app has
# read permissions for those files.
# the paths may be given relative to the root webwork2 app directory. Otherwise
# the absolute path must be given. Make sure that the webwork2 app has read
# permissions for those files.
$saml2{sp}{certificate_file} = 'docker-config/idp/certs/saml.crt';
$saml2{sp}{private_key_file} = 'docker-config/idp/certs/saml.pem';

Expand Down
2 changes: 2 additions & 0 deletions lib/WeBWorK/Authen/Saml2.pm
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,8 @@ sub do_verify ($self) {
my $c = $self->{c};
my $ce = $c->ce;

$self->{external_auth} = 1 if $ce->two_factor_authentication_enabled && $ce->{saml2}{twoFAOnlyWithBypass};

if ($c->current_route eq 'saml2_acs') {
debug('Verifying Saml2 assertion');

Expand Down

0 comments on commit edc0477

Please sign in to comment.