When using IDP 2.4.4 and MCB 1.2.5 we are seeing AuthnFailed message after authenticating to one sp then switching to a new tab with an sp that forces reauth

Ewing, Bill BEwing at utsystem.edu
Thu Jul 2 12:09:19 EDT 2015


We tried it out last night with the setting
<input type="hidden" name="selectedmethod" value="PPT" /> I also tried “password”

During the test before the login we would end up on a blank page where the context choice had shown up before logs just showed.
21:03:41.427 - DEBUG [edu.internet2.middleware.assurance.mcb.authn.provider.MCBLoginServlet:866] - Displaying velocity template of [selectcontext.vm]
I could hit f5 on the page and it would continue on to the login and let me through.

Seems like it didn’t recognize my choice of value “PPT”, or “password”. I guess I am  not understanding where that value needs to come from or I am missing something else.

The previous days test when I had the selection show up the choices had 2 username/password options the first one from the logs showed as password the second as PPT so that was another reason I thought to try those 2 settings in your config.
22:10:59.356 - DEBUG [edu.internet2.middleware.assurance.mcb.authn.provider.MCBLoginServlet:180] - Selected method name = [password]
22:11:34.341 - DEBUG [edu.internet2.middleware.assurance.mcb.authn.provider.MCBLoginServlet:180] - Selected method name = [PPT]

Thanks for your assistance,
Bill

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of David Langenberg
Sent: Thursday, July 02, 2015 9:15 AM
To: Shib Users
Subject: Re: When using IDP 2.4.4 and MCB 1.2.5 we are seeing AuthnFailed message after authenticating to one sp then switching to a new tab with an sp that forces reauth

That file originally shows the user all the contexts they can use to satisfy the request from the SP.  If an SP requires 2FA and you have nothing that can also satisfy 2FA, then the chooser screen won't fire.

Dave

On Wed, Jul 1, 2015 at 9:52 AM, Ewing, Bill <BEwing at utsystem.edu<mailto:BEwing at utsystem.edu>> wrote:
Dave,
So based on your file and our context name
<context name="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" method="PPT">
We could just change the method value to.
<input type="hidden" name="selectedmethod" value="PPT" />  ?

And one other thought going forward when we end up enabling 2fa context on some of our apps will  the sp requesting the 2fa auth context override the selected method from this file or is this file the hard set choice for all apps? Just wanted to know since we will only have selected shibbed apps that will be 2fa required. Hope that made sense.

Thanks again,
Bill


From: users [mailto:users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>] On Behalf Of David Langenberg
Sent: Wednesday, July 01, 2015 9:15 AM

To: Shib Users
Subject: Re: When using IDP 2.4.4 and MCB 1.2.5 we are seeing AuthnFailed message after authenticating to one sp then switching to a new tab with an sp that forces reauth

Here ya go.

https://uchicago.box.com/s/w0oujye8d0zzfpfrolcnotx5wn5yg81i

Dave

On Wed, Jul 1, 2015 at 8:11 AM, Ewing, Bill <BEwing at utsystem.edu<mailto:BEwing at utsystem.edu>> wrote:
Dave,
Thanks for the response. We have only 1 option set for initial context which before this version got us past seeing the selection screen.

<initialAuthContext requestedOnly="false">
            <context name="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
    </initialAuthContext>

Would you be willing to share your custom selectcontext.vm file as we’d be interested in trying that.

Thanks,
Bill
From: users [mailto:users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>] On Behalf Of David Langenberg
Sent: Tuesday, June 30, 2015 11:24 PM
To: Shib Users

Subject: Re: When using IDP 2.4.4 and MCB 1.2.5 we are seeing AuthnFailed message after authenticating to one sp then switching to a new tab with an sp that forces reauth

You can avoid the initial selection screen by setting an InitialAuthContext that maps to your username/password context.  In our implementation, we have three contexts in play for some users.  To eliminate the chooser screen for them, we modified our selectcontext.vm file to contain a bit of javascript that when window.onload() fires, it submits the chooser form automatically back to the IdP with our 2FA context pre-selected.  The JS works pretty well, though we've found it breaks users trying to install the Box Sync and Box Office applications on windows machines (for some reason the embedded browser won't run the JS).

Dave

On Tue, Jun 30, 2015 at 9:22 PM, Ewing, Bill <BEwing at utsystem.edu<mailto:BEwing at utsystem.edu>> wrote:
Thanks for the response. I tried the new version this evening and while it did get me to the sp w/o an AuthnFailed message we did get stopped with an authentication selection screen where we have to select our authcontext ie 2factor, username/password only. Is there some additional config that can be done to get through w/o getting the selection screen?

Thanks,
Bill

From: users [mailto:users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>] On Behalf Of Paul Hethmon
Sent: Tuesday, June 30, 2015 2:59 PM
To: Shibboleth Users
Subject: Re: When using IDP 2.4.4 and MCB 1.2.5 we are seeing AuthnFailed message after authenticating to one sp then switching to a new tab with an sp that forces reauth

Grab version 1.2.6 to fix that bug.

Paul

On Jun 30, 2015, at 3:50 PM, Ewing, Bill <BEwing at utsystem.edu<mailto:BEwing at utsystem.edu>> wrote:

Ever since we’ve started using the IDP 2.4.4 and MCB 1.2.5 in preparation for rolling out 2factor we have our users seeing the AuthnFailed message when after authenticating to one sp previously opens a new browser tab and visits an sp that is set to force re-authentication. One of our other schools with a similar setup disabled their setup for previous sessions to get around this issue. We were wondering if this was a known issue for this scenario or are we missing something with our config on the sp or idp possibly? I’ll paste the idp log snippet below


-----
Paul Hethmon
Chief Software Architect
paul.hethmon at clareitysecurity.com<mailto:paul.hethmon at clareitysecurity.com>


--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>



--
David Langenberg
Identity & Access Management Architect
The University of Chicago

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>



--
David Langenberg
Identity & Access Management Architect
The University of Chicago

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>



--
David Langenberg
Identity & Access Management Architect
The University of Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150702/9ce29f23/attachment-0001.html>


More information about the users mailing list