firebase-js-sdk icon indicating copy to clipboard operation
firebase-js-sdk copied to clipboard
verified publisher icon firebase

TOTP MFA prevents SAML claims from populating in ID token

Open nvjoshi2 opened this issue 1 year ago • 0 comments

Operating System

Mac OS 14.2.1 (23C71)

Browser Version

Chrome/124.0.6367.119

Firebase SDK Version

10.12.0

Firebase SDK Product:

Auth

Describe your project's tooling

React Next.js SPA

Describe the problem

When I enable TOTP MFA for a tenant, SAML claims are no longer populated in the JWT for a signed in user.

Steps and code to reproduce issue

  1. Create Google Identity Platform Project
  2. Enable multitenancy, create tenant
  3. Enable TOTP MFA for tenant via admin-sdk
  4. Add SAML provider to tenant (used Entra ID in my case)
  5. Make React application, add firebase as dependency
  6. Set up TOTP MFA enrollment and sign in flows
  7. Initiate SAML redirect sign in flow
signInWithRedirect(auth, new SAMLAuthProvider("<Provider ID>"))
  1. Be prompted to enroll in MFA (At this point the JWT does contain SAML claims)

image

  1. Complete enrollment

  2. Print UserImpl, decode JWT

{
  "iss": "<redacted>",
  "aud": "<redacted>",
  "auth_time": 1715792567,
  "user_id": "<redacted>",
  "sub": "<redacted>",
  "iat": 1715792567,
  "exp": 1715796167,
  "email": "<redacted>",
  "email_verified": true,
  "firebase": {
    "identities": {
      "saml.cyvidia-entra-id": [
        "<redacted>"
      ],
      "email": [
        "<redacted>"
      ]
    },
    "sign_in_provider": "saml.cyvidia-entra-id",
    "sign_in_second_factor": "totp",
    "second_factor_identifier": "c2393de3-646f-45c5-aade-5ade10bc203e",
    "tenant": "customer-1-p2kfv"
  }
}
  1. Log out, log back in
  2. Print UserImpl, verify that JWT still does not contain claims
  3. Disable TOTP MFA using admin sdk
  4. Log out, log back in
  5. Print UserImpl, decode JWT
{
  "iss": "<redacted>",
  "aud": "<redacted>",
  "auth_time": 1715792890,
  "user_id": "<redacted>",
  "sub": "<redacted>",
  "iat": 1715792890,
  "exp": 1715796490,
  "email": "<redacted>",
  "email_verified": true,
  "firebase": {
    "identities": {
      "saml.cyvidia-entra-id": [
        "<redacted>"
      ],
      "email": [
        "<redacted>"
      ]
    },
    "sign_in_provider": "saml.cyvidia-entra-id",
    "sign_in_attributes": {
      "http://schemas.microsoft.com/identity/claims/displayname": "<redacted>",
      "http://schemas.microsoft.com/identity/claims/tenantid": "<redacted>",
      "http://schemas.microsoft.com/identity/claims/identityprovider": "<redacted>",
      "http://schemas.microsoft.com/identity/claims/objectidentifier": "<redacted>",
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "<redacted>",
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "<redacted>",
      "http://schemas.microsoft.com/claims/authnmethodsreferences": [
        "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password",
        "http://schemas.microsoft.com/claims/multipleauthn"
      ],
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "<redacted>",
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "<redacted>"
    },
    "tenant": "customer-1-p2kfv"
  }
}

nvjoshi2 avatar May 15 '24 17:05 nvjoshi2