...

Configuring your test IdP for MFA

You must  be running Shibboleth Identity Provider v3.3.x. If not, upgrade first: SWAMID Webinar 2 2017 - Uppgradera Shibboelth Identity Provider till senaste versionen

The updates to your test IdP involve configuring MultiFactorAuthnConfiguration (https://wiki.shibboleth.net/confluence/display/IDP30/MultiFactorAuthnConfiguration) and adding in an extra module for u2f which is available on Github at https://github.com/Ratler/shibboleth-mfa-u2f-auth. The documentation on Github is very good and therefore doesn't need to be repeated in detail here, so we'll just cover potential gotchas. 

If  If you do not have the conf/authn/mfa-authn-config.xml in your Shibboleth installation directory, then you can copy it from the /opt/shibboleth-identity-provider-3.3.2/conf/authn distribution directory. 

Configure your idp.properties so that MFA is the only enabled flow:

idp.authn.flows= MFA

Add the u2f.properties file to the comma-delimited list of property resources in the idp.properties file, for example:

idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/u2f.properties

Your u2f.properties file should be configured as follows:

...

Again, replace CLIENTNAME and PASSWORD with those you set at the htdigest and u2fval commands above. The appId MUST be the URL to your test IdP without any path information or trailing slash. Add this 

The following must be added to the conf/authn/general-authn.xml so that both authn/MFA and authn/U2f are available:

...