RemoteUser configuration in IdP V 3.2.1
Erik Guss
eguss at auth.lib.montana.edu
Fri Jul 8 11:56:59 EDT 2016
A clarification: The RemoteUser is configured in the web.xml, and
functions correctly the first time the SP contacts the IdP (not
including a session Id).
The error log entries I included below are for when the browser has sat
idle for more than the IdP session limit, but still submits the IdP
session id it has in the request. Since that session has expired, no
REMOTE_USER is found. That is when I wish for the IdP to re-run the
login flow from scratch (or some other proper way to allow it to get
back to a login screen.) Thank you.
On Thu, 2016-07-07 at 14:49 -0600, Erik Guss wrote:
> Hello,
> I've recently upgraded to IdP v3.2.1. I have followed the basic
> configuration for RemoteUser via the documentation. A particular SP
> problem I am having is that in the case of an expired session, the
> login
> flow is not re-triggered as we wish. An error log sequence is included
> below illustrating what is happening. My question is, what would be
> the
> proper xml stanza to use in conf/authn/remoteuser-authn-config.xml to
> trigger RemoteUser again if an existing authentication result is
> inactive? Thank you.
>
> 2016-05-11 10:22:13,486 - DEBUG
> [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:167] -
> Profile Action PopulateAuthenticationContext: Installed 1
> authentication
> flows into AuthenticationContext
> 2016-05-11 10:22:13,488 - DEBUG
> [net.shibboleth.idp.session.impl.StorageBackedSessionManager:707] -
> Performing primary lookup on session ID
> ebab536b9a26a518255bcfa5951153219f966799afa33af278c77aec19bef3e6
> 2016-05-11 10:22:13,492 - DEBUG
> [net.shibboleth.idp.session.impl.StorageBackedIdPSession:90] -
> Updating
> expiration of master record for session
> ebab536b9a26a518255bcfa5951153219f966799afa33af278c77aec19bef3e6 to
> 2016-05-11T11:22:13.492-06:00
> 2016-05-11 10:22:13,504 - DEBUG
> [net.shibboleth.idp.session.impl.StorageBackedIdPSession:528] -
> Loading
> AuthenticationResult for flow authn/RemoteUser in session
> ebab536b9a26a518255bcfa5951153219f966799afa33af278c77aec19bef3e6
> 2016-05-11 10:22:13,510 - DEBUG
> [net.shibboleth.idp.session.impl.ExtractActiveAuthenticationResults:116]
> - Profile Action ExtractActiveAuthenticationResults: authentication
> result authn/RemoteUser is inactive, skipping it
> 2016-05-11 10:22:13,511 - DEBUG
> [net.shibboleth.idp.session.impl.ExtractActiveAuthenticationResults:122]
> - Profile Action ExtractActiveAuthenticationResults: no active
> authentication results, SSO will not be possible
> 2016-05-11 10:22:13,542 - DEBUG
> [net.shibboleth.idp.authn.impl.FilterFlowsByForcedAuthn:53] - Profile
> Action FilterFlowsByForcedAuthn: Request does not have forced
> authentication requirement, nothing to do
> 2016-05-11 10:22:13,543 - DEBUG
> [net.shibboleth.idp.authn.impl.FilterFlowsByPassivity:53] - Profile
> Action FilterFlowsByPassivity: Request does not have passive
> requirement, nothing to do
> 2016-05-11 10:22:13,544 - DEBUG
> [net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:53] -
> Profile Action FilterFlowsByNonBrowserSupport: Request does not have
> non-browser requirement, nothing to do
> 2016-05-11 10:22:13,546 - DEBUG
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:257] - Profile
> Action SelectAuthenticationFlow: No specific Principals requested
> 2016-05-11 10:22:13,546 - DEBUG
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:292] - Profile
> Action SelectAuthenticationFlow: No usable active results available,
> selecting an inactive flow
> 2016-05-11 10:22:13,547 - DEBUG
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:334] - Profile
> Action SelectAuthenticationFlow: Selecting inactive authentication
> flow
> authn/RemoteUser
> 2016-05-11 10:22:13,574 - INFO
> [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:121] -
> Profile Action ValidateExternalAuthentication: External authentication
> failed, no user identity or error information returned
> 2016-05-11 10:22:13,578 - INFO
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:130] - Profile
> Action SelectAuthenticationFlow: Moving incomplete flow
> authn/RemoteUser
> to intermediate set
> 2016-05-11 10:22:13,579 - DEBUG
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:257] - Profile
> Action SelectAuthenticationFlow: No specific Principals requested
> 2016-05-11 10:22:13,579 - DEBUG
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:292] - Profile
> Action SelectAuthenticationFlow: No usable active results available,
> selecting an inactive flow
> 2016-05-11 10:22:13,580 - ERROR
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:296] - Profile
> Action SelectAuthenticationFlow: No potential flows left to choose
> from,
> authentication will fail
> 2016-05-11 10:22:13,596 - WARN
> [org.opensaml.profile.action.impl.LogEvent:76] - An error event
> occurred
> while processing the request: NoPotentialFlow
> 2016-05-11 10:22:13,597 - DEBUG
> [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:184]
> - Error event NoPotentialFlow will be handled with response
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160708/afd59d5e/attachment.html>
More information about the users
mailing list