Displaying a simple error page from a flow
Cantor, Scott
cantor.2 at osu.edu
Thu Dec 8 19:12:11 EST 2016
On 12/8/16, 5:29 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
> Just to follow up to the list, the shortcut didn't work. It ignored the extra code and terminated the flow with a proceed
> event, passing me through with password authentication. The more complex route worked, though.
Alright, I'd welcome a ticket on that, we need a cleaner way of handling that, probably just something added to the context tree explicitly as a signal.
> The getPrincipal call is exactly taken from the sample function shipped with the IdP and comes right after initializing the
> variable to the AttributeResolverContext subcontext, of course.
The example's not right, it won't work if the first factor didn't happen right then. Didn't test enough.
The function to compute the name that's actually in the Duo flow looks like this:
final SubjectCanonicalizationContext c14nContext =
input.getSubcontext(SubjectCanonicalizationContext.class);
if (c14nContext != null && c14nContext.getPrincipalName() != null) {
return c14nContext.getPrincipalName();
}
final SessionContext sessionContext = input.getSubcontext(SessionContext.class);
if (sessionContext != null && sessionContext.getIdPSession() != null) {
return sessionContext.getIdPSession().getPrincipalName();
}
The null checking plus the second part is missing from the example, and since all that's wrapped up in a Function class anyway, I would just have pulled an instance of that class in:
<bean id="UsernameLookupStrategy"
class="net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy" />
Stuff that into the script via customObject and you can just run it to get the name out. *That* is guaranteed to work since if Password succeeds, either it ran just then or SSO happened and the session has the identity.
File a bug and I'll fix up the example.
-- Scott
More information about the users
mailing list