Failure when using MFA with SP requiring exact match on PasswordProtectedTransport
Leite, Zailo S.
zleite at caltech.edu
Fri May 5 13:18:02 EDT 2017
We are using the MFA flow, and it works great, but I getting an error
of:
WARN net.shibboleth.idp.authn.impl.FinalizeAuthen
tication:179 Profile Action FinalizeAuthentication: Authentication
result for flow authn/MFA did not satisfy the request
When the SP requests:
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRe
f>
</samlp:RequestedAuthnContext>
What am I doing wrong?
Z
On Thu, 2017-03-23 at 23:10 +0000, Hong Ye wrote:
> Here is what have now, but still doesn’t work
>
>
> <bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow"
> p:nonBrowserSupported="false" >
> <property name="supportedPrincipals">
> <list>
> <bean parent="shibboleth.SAML2AuthnContextClassRef"
>
> c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
> </list>
> </property>
> </bean>
> <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
> p:forcedAuthenticationSupported="true"
> p:nonBrowserSupported="false">
>
> <property name="supportedPrincipals">
> <list>
> <bean
> parent="shibboleth.SAML2AuthnContextClassRef"
> c:classRef="http://cornell.edu/mfa" />
> <bean
> parent="shibboleth.SAML1AuthenticationMethod"
> c:method="http://cornell.edu/mfa" />
> </list>
> </property>
> </bean>
>
>
> <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
> p:passiveAuthenticationSupported="true"
> p:forcedAuthenticationSupported="true">
>
> <property name="supportedPrincipals">
> <list>
> <bean parent="shibboleth.SAML2AuthnContextClassRef"
> c:classRef="http://cornell.edu/mfa" />
> <bean parent="shibboleth.SAML2AuthnContextClassRef"
>
> c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
> </list>
> </property>
> </bean>
>
>
>
>
>
>
> > On Mar 23, 2017, at 4:58 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> >
> > > I tried the solution posted by Scott Koranda in that thread. It
> > > still doesn’t
> > > work for me. Our primary authentication is authn/RemoteUser. I’m
> > > sure I’m
> > > missing something in my configuration, but I can't’ figured it
> > > out.
> >
> > Your supportedPrincipal collections don't make any sense.
> >
> > The Duo method is claiming to support "http://cornell.edu/mfa" but
> > your MFA method is not consistent with that and is for some reason
> > claiming to support IPAddress and Password contexts, probably
> > because the default example uses those. You can't leave things
> > defaulted, you have to adjust them all appropriately for your local
> > choices.
> >
> > The MFA flow needs to "support" all of the possible values you want
> > to have it respond to, generally by unioning the values supported by
> > the individual flows it's going to be orchestrating. Most of the
> > time that's enough to get things operating correctly.
> >
> > You also didn't show what your RemoteUser flow's supportedPrincipals
> > are, but collectively it's not consistent or correct.
> >
> > -- Scott
> >
> > --
> > To unsubscribe from this list send an email to
> > users-unsubscribe at shibboleth.net
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list