TOTP MFA prevents SAML claims from populating in ID token #8249

nvjoshi2 · 2024-05-15T17:18:19Z

Operating System

Mac OS 14.2.1 (23C71)

Browser Version

Chrome/124.0.6367.119

Firebase SDK Version

10.12.0

Firebase SDK Product:

Auth

Describe your project's tooling

React Next.js SPA

Describe the problem

When I enable TOTP MFA for a tenant, SAML claims are no longer populated in the JWT for a signed in user.

Steps and code to reproduce issue

Create Google Identity Platform Project
Enable multitenancy, create tenant
Enable TOTP MFA for tenant via admin-sdk
Add SAML provider to tenant (used Entra ID in my case)
Make React application, add firebase as dependency
Set up TOTP MFA enrollment and sign in flows
Initiate SAML redirect sign in flow

signInWithRedirect(auth, new SAMLAuthProvider("<Provider ID>"))

Be prompted to enroll in MFA (At this point the JWT does contain SAML claims)

Complete enrollment
Print UserImpl, decode JWT

{
  "iss": "<redacted>",
  "aud": "<redacted>",
  "auth_time": 1715792567,
  "user_id": "<redacted>",
  "sub": "<redacted>",
  "iat": 1715792567,
  "exp": 1715796167,
  "email": "<redacted>",
  "email_verified": true,
  "firebase": {
    "identities": {
      "saml.cyvidia-entra-id": [
        "<redacted>"
      ],
      "email": [
        "<redacted>"
      ]
    },
    "sign_in_provider": "saml.cyvidia-entra-id",
    "sign_in_second_factor": "totp",
    "second_factor_identifier": "c2393de3-646f-45c5-aade-5ade10bc203e",
    "tenant": "customer-1-p2kfv"
  }
}

Log out, log back in
Print UserImpl, verify that JWT still does not contain claims
Disable TOTP MFA using admin sdk
Log out, log back in
Print UserImpl, decode JWT

{
  "iss": "<redacted>",
  "aud": "<redacted>",
  "auth_time": 1715792890,
  "user_id": "<redacted>",
  "sub": "<redacted>",
  "iat": 1715792890,
  "exp": 1715796490,
  "email": "<redacted>",
  "email_verified": true,
  "firebase": {
    "identities": {
      "saml.cyvidia-entra-id": [
        "<redacted>"
      ],
      "email": [
        "<redacted>"
      ]
    },
    "sign_in_provider": "saml.cyvidia-entra-id",
    "sign_in_attributes": {
      "http://schemas.microsoft.com/identity/claims/displayname": "<redacted>",
      "http://schemas.microsoft.com/identity/claims/tenantid": "<redacted>",
      "http://schemas.microsoft.com/identity/claims/identityprovider": "<redacted>",
      "http://schemas.microsoft.com/identity/claims/objectidentifier": "<redacted>",
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "<redacted>",
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "<redacted>",
      "http://schemas.microsoft.com/claims/authnmethodsreferences": [
        "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password",
        "http://schemas.microsoft.com/claims/multipleauthn"
      ],
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "<redacted>",
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "<redacted>"
    },
    "tenant": "customer-1-p2kfv"
  }
}

The text was updated successfully, but these errors were encountered:

nvjoshi2 added new A new issue that hasn't be categoirzed as question, bug or feature request question labels May 15, 2024

google-oss-bot added the api: auth label May 15, 2024

rizafran removed the new A new issue that hasn't be categoirzed as question, bug or feature request label May 15, 2024

jbalidiong added the needs-attention label May 16, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

TOTP MFA prevents SAML claims from populating in ID token #8249

TOTP MFA prevents SAML claims from populating in ID token #8249

nvjoshi2 commented May 15, 2024

TOTP MFA prevents SAML claims from populating in ID token #8249

TOTP MFA prevents SAML claims from populating in ID token #8249

Comments

nvjoshi2 commented May 15, 2024

Operating System

Browser Version

Firebase SDK Version

Firebase SDK Product:

Describe your project's tooling

Describe the problem

Steps and code to reproduce issue