From edc04776fcdbe97a522ad22a6b1b96cde52065ec Mon Sep 17 00:00:00 2001 From: Glenn Rice Date: Tue, 3 Sep 2024 06:17:05 -0500 Subject: [PATCH] Add a $saml2{twoFAOnlyWithBypass} option. This option is for the case that the identity provider offers multi factor authentication, and yet the $saml2{bypass_query} is also allowed. In this case you would not want webwork2's two factor authentication to be used when signing in via the identity provider. However, two factor authentication should be used if the bypass query is used. Setting $saml2{twoFAOnlyWithBypass} to 1 makes it so that webwork2's two factor authentication is skipped for users signing in via the identity provider, but still required for users signing in with a username/password. If this is set to 0, then webwork2's two factor authentication will always be required. --- conf/authen_saml2.conf.dist | 26 ++++++++++++++++++-------- lib/WeBWorK/Authen/Saml2.pm | 2 ++ 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/conf/authen_saml2.conf.dist b/conf/authen_saml2.conf.dist index 197198a946..b126cde66f 100644 --- a/conf/authen_saml2.conf.dist +++ b/conf/authen_saml2.conf.dist @@ -24,6 +24,12 @@ $authen{admin_module} = [ 'WeBWorK::Authen::Saml2' ]; +# This URL query parameter can be added to the end of a course url to skip the +# saml2 authentication module and go to the next one, for example, +# http://your.school.edu/webwork2/courseID?bypassSaml2=1. Comment out the next +# line to disable this feature. +$saml2{bypass_query} = 'bypassSaml2'; + # Note that Saml2 authentication can be used in conjunction with webwork's two # factor authentication. If the identity provider does not provide two factor # authentication, then it is recommended that you DO use webwork's two factor @@ -33,11 +39,15 @@ $authen{admin_module} = [ # authentication. The two factor authentication settings are set in # localOverrides.conf. -# This URL query parameter can be added to the end of a course url to skip the -# saml2 authentication module and go to the next one, for example, -# http://your.school.edu/webwork2/courseID?bypassSaml2=1. Comment out the next -# line to disable this feature. -$saml2{bypass_query} = 'bypassSaml2'; +# As noted above, if the identity provider offers two factor authentication, +# then you would not want webwork2's two factor authentication to be used at the +# same time. However, if the bypass parameter is allowed, you should still +# enable two factor authentication in that case. If this is the case, then set +# $saml2{twoFAOnlyWithBypass} to 1. This will skip webwork2's two factor +# authentication for users signing in via the identity provider, but still +# require it for users signing in with a username/password. If this is set to 0, +# then webwork2's two factor authentication will always be required. +$saml2{twoFAOnlyWithBypass} = 0; # If $external_auth is 1, and the authentication sequence reaches # Basic_TheLastOption, then the webwork login screen will show a message @@ -104,9 +114,9 @@ $saml2{sp}{attributes} = [ # The files saml.crt and saml.pem that are generated contain the public # "certificate" and the "private_key", respectively. # Note that if the files are placed within the root webwork2 app directory, then -# the paths may be given relative to the the root webwork2 app directory. -# Otherwise the absolute path must be given. Make sure that the webwork2 app has -# read permissions for those files. +# the paths may be given relative to the root webwork2 app directory. Otherwise +# the absolute path must be given. Make sure that the webwork2 app has read +# permissions for those files. $saml2{sp}{certificate_file} = 'docker-config/idp/certs/saml.crt'; $saml2{sp}{private_key_file} = 'docker-config/idp/certs/saml.pem'; diff --git a/lib/WeBWorK/Authen/Saml2.pm b/lib/WeBWorK/Authen/Saml2.pm index 61add1cd60..d7d5389aea 100644 --- a/lib/WeBWorK/Authen/Saml2.pm +++ b/lib/WeBWorK/Authen/Saml2.pm @@ -71,6 +71,8 @@ sub do_verify ($self) { my $c = $self->{c}; my $ce = $c->ce; + $self->{external_auth} = 1 if $ce->two_factor_authentication_enabled && $ce->{saml2}{twoFAOnlyWithBypass}; + if ($c->current_route eq 'saml2_acs') { debug('Verifying Saml2 assertion');