Authn Error - IdP v3

Pradeep Jamble pjamble at
Tue May 10 13:25:04 EDT 2016

Hey Scott,

When I follow X509 initial authn with RemoteUser, I don't get prompted and
the user identity is pulled from the session as expected. However, when I
follow X509 with Password (jaas), it prompts me with the login page. Is
this behavior expected or should it extract the user identity in both cases?


On Mon, May 9, 2016 at 2:56 PM, Pradeep Jamble <pjamble at> wrote:

> Got it. I realize that the purpose of that feature was not to combine and
> orchestrate multiple authn flows. I tried to setup X509 as the first factor
> and then RemoteUser authn as the second factor but it just pulled the user
> identity from the existing session and didn't prompt the user again. I was
> looking for a way to force the authn but I now understand from your
> statement that it's not designed to do that.
> I'm going to look at the auth flow documentation and see if there's a way
> to build something to match the use case. Thanks Scott!
> On Mon, May 9, 2016 at 2:22 PM, Cantor, Scott <cantor.2 at> wrote:
>> > My bad Scott, apologies. I was looking in the wrong place. I didn't
>> realize the
>> > properties were mutually exclusive.
>> They're not mutually exclusive, they're overlapping, which is why it's an
>> ugly little feature. It's just a stopgap. But it doesn't make sense to use
>> it with certificates.
>> > Regarding, X509 as initial authn, I'm just testing a use case where we
>> want to
>> > use certs for primary authn followed by another factor. That's where I
>> was
>> > trying to replicate the MCB stuff based on one of the documents in the
>> wiki.
>> No, that won't do what you want. The initial-authn thing only runs then
>> there's no session and it's just skipped entirely at any other time because
>> the user identify it pulled out of the session.
>> I can't do much besides acknowledge that combining factors isn't really a
>> feature it provides. It just wasn't a requirement for the first releases.
>> The requirement we had was for *selecting* different factors, not combining
>> them. 3.3 will provide a method to combine them.
>> But there is documentation on authoring login flows and of course
>> there're the existing flows to copy and adapt.
>> -- Scott
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list