Authn Error - IdP v3

Cantor, Scott cantor.2 at
Mon May 9 09:53:49 EDT 2016

> Th X509 flow is enabled globally in '' and the flow descriptor has
> been defined in 'general-authn.xml'. The initial authn works fine with client
> certs but once I go past the prompt i.e. x509-prompt.jsp, I get the warning
> and error message.

To get the error you cannot have the flow enabled, that's pretty much it. You simply cannot have included it as one of the flows identified in the idp.authn.flows property. You enabled it in the idp.intial-authn.flows property, but not the main one.

I told you already: stop using the initial-authn feature and you should be fine. Using it with X.509 doesn't make any sense, so you don't need to do what you're doing.

> The authentication succeeds and I can SSO to the application but I think the
> IdP is unable to store the session. To test this, I just deleted the application
> cookies and then tried to login again. It prompted me for the cert again even
> though I had my idp session active.

I'm aware it can't store the session, and the log indicates the reason is that the flow isn't enabled.

> Any reason this could happen? I do have the MCB configured in my test
> environment but I don't think that would interfere with the initial or x509
> authn. Just sharing ...

There is no MCB in V3.

The error means the flow is not enabled. End of story.

-- Scott

More information about the users mailing list