Unexpected behaviours with matchExpression and SPNEGO and RemoteUser

Simon Lundström simlu at su.se
Tue May 16 04:23:54 EDT 2017

On Fri, 2017-05-12 at 15:09:08 +0000, Cantor, Scott wrote:
> On 5/12/17, 10:20 AM, "users on behalf of Simon Lundström" <users-bounces at shibboleth.net on behalf of simlu at su.se> wrote:
> > For SPNEGO on the other hand we get no error back to the user what so
> > ever.
> The SPNEGO flow is handling the error by causing the next login flow to be tried (it signals ReselectFlow). If it isn't doing that, something else is broken that I really have no guess about since there's nothing in the log.

I think this might be a default configuration bug actually.

In conf/authn/spnego-authn-config.xml in the
shibboleth.authn.SPNEGO.ClassifiedMessageMap there is no
InvalidCredentials or INVALID_CREDENTIALS which makes it just "fall
back" to the ReselectFlow, as noted in the comment in
system/flows/authn/spnego-authn-flow.xml which makes it reselect twice,
hence the two fold incrementation of execution(?).

When I added an InvalidPassword entry with InvalidCredentials as a value
it shows the same as the authn/Password which is what I expected.

> > For RemoteUser we get sent back to the SP with an error message which is
> > more helpful, I mean status:AuthnFailed is clear, than the SPNEGO case
> It's the same code checking the name and the same outcome, but the External/RemoteUser flows don't remap the InvalidCredentials event and just fail authentication. It should be possible to change that to match what the SPNEGO flow is doing with the message map for those flows to get it to pass control to another login flow.

If I in the same way in conf/authn/remoteuser-authn-config.xml to
shibboleth.authn.RemoteUser.ClassifiedMessageMap add InvalidCredentials
and in system/flows/authn/remoteuser-authn-flow.xml to the
ValidateExternalAuthentication action-state add a:
<transition on="InvalidSubjectCanonicalizationContext" to="ReselectFlow" />
I get the flow I expected.

Is there a way to add the transition to the flow without editing a
system file?

> > We expected that both SPNEGO and RemoteUser would behave as Password.
> They have no UI, so that would be impossible. They're very different in nature.

Well, it seems like they can be tamed to have an UI. I now know more
about webflows and spring than I ever intended. "Thanks" Scott ; P

- Simon

More information about the users mailing list