Authn Error - IdP v3
Pradeep Jamble
pjamble at gmail.com
Mon May 9 16:55:01 EDT 2016
My bad Scott, apologies. I was looking in the wrong place. I didn't realize
the properties were mutually exclusive.
Regarding, X509 as initial authn, I'm just testing a use case where we want
to use certs for primary authn followed by another factor. That's where I
was trying to replicate the MCB stuff based on one of the documents in the
wiki. The idea is to get away from using password for authn. So, I'm trying
things out in my test environment.
Pradeep
On Mon, May 9, 2016 at 6:53 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> > Th X509 flow is enabled globally in 'idp.properties' and the flow
> descriptor has
> > been defined in 'general-authn.xml'. The initial authn works fine with
> client
> > certs but once I go past the prompt i.e. x509-prompt.jsp, I get the
> warning
> > and error message.
>
> To get the error you cannot have the flow enabled, that's pretty much it.
> You simply cannot have included it as one of the flows identified in the
> idp.authn.flows property. You enabled it in the idp.intial-authn.flows
> property, but not the main one.
>
> I told you already: stop using the initial-authn feature and you should be
> fine. Using it with X.509 doesn't make any sense, so you don't need to do
> what you're doing.
>
> > The authentication succeeds and I can SSO to the application but I think
> the
> > IdP is unable to store the session. To test this, I just deleted the
> application
> > cookies and then tried to login again. It prompted me for the cert again
> even
> > though I had my idp session active.
>
> I'm aware it can't store the session, and the log indicates the reason is
> that the flow isn't enabled.
>
> > Any reason this could happen? I do have the MCB configured in my test
> > environment but I don't think that would interfere with the initial or
> x509
> > authn. Just sharing ...
>
> There is no MCB in V3.
>
> The error means the flow is not enabled. End of story.
>
> -- Scott
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160509/8573bda4/attachment.html>
More information about the users
mailing list