MCB in IdP v3 (3.2.0)

Pradeep Jamble pjamble at gmail.com
Thu Apr 28 14:58:13 EDT 2016 

Hello,

I'm trying to setup MCB in v3 as documented on the wiki below but I'm
running into an issue.
https://wiki.shibboleth.net/confluence/pages/viewpage.action?pageId=20807829

Here's what I've configured based on the wiki:

Step 1 & 2: As in the wiki, no changes
Step 3: Defined in general-authn.xml instead of global.xml (based on
another thread in the user community related to MCB)
Step 4, 5, 6 & 7: As in the wiki, no changes except for the attribute used
to read the authn context.
Step 8: Ignored, since we don't need it in our case

I get past the login page and then it errors at the SP end. Form the debug
logs, I see it's trying to compare the context with Password & Duo flows
but it can't find a matching context. Here's a snippet:

2016-04-28 03:30:39,023 - DEBUG
[net.shibboleth.idp.authn.impl.FilterFlowsByAttribute:212] - Profile Action
FilterFlowsByAttribute: Looking for match for flow authn/Duo against values
for attribute info
2016-04-28 03:30:39,024 - DEBUG
[net.shibboleth.idp.authn.impl.FilterFlowsByAttribute:215] - Profile Action
FilterFlowsByAttribute: Comparing principal http://www.duosecurity.com/
against attribute values [StringAttributeValue{value=http://uchicago.edu/duo
}]
2016-04-28 03:30:39,024 - DEBUG
[net.shibboleth.idp.authn.impl.FilterFlowsByAttribute:215] - Profile Action
FilterFlowsByAttribute: Comparing principal
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport against
attribute values [StringAttributeValue{value=http://uchicago.edu/duo}]
2016-04-28 03:30:39,025 - DEBUG
[net.shibboleth.idp.authn.impl.FilterFlowsByAttribute:215] - Profile Action
FilterFlowsByAttribute: Comparing principal http://www.duosecurity.com/
against attribute values [StringAttributeValue{value=http://uchicago.edu/duo
}]
2016-04-28 03:30:39,025 - DEBUG
[net.shibboleth.idp.authn.impl.FilterFlowsByAttribute:164] - Profile Action
FilterFlowsByAttribute: Removing flow authn/Duo, Principals did not match
any attribute values

Looks like it's using the context defined in the unicon plugin rather than
the configured one.
Here's the error message towards the end:

2016-04-28 03:30:39,040 - ERROR
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:296] - Profile
Action SelectAuthenticationFlow: No potential flows left to choose from,
authentication will fail
2016-04-28 03:30:39,054 - WARN
[org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred
while processing the request: NoPotentialFlow

Appreciate any help or guidance to get this working.

Regards,
Pradeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160428/e30cd101/attachment.html>

More information about the users mailing list