Unexpected behaviours with matchExpression and SPNEGO and RemoteUser

Simon Lundström simlu at su.se
Thu May 18 03:35:31 EDT 2017 

On Tue, 2017-05-16 at 13:41:04 +0000, Cantor, Scott wrote:
> > I think this might be a default configuration bug actually.
> 
> It's not a bug because it's explicitly wired into the flow. Whether it should have been done that way might be a bug, but the thought process was that the SPNEGO flow should "fall back" to another login flow when that error occurs.

Yeah and that's sane. With no fall back there's really no where or way
to notify the user of an error. But an username validation or SPNEGO
error can, and I think should, show as an error in when moving to the
next flow which usually should be Password.

> > When I added an InvalidPassword entry with InvalidCredentials as a value
> > it shows the same as the authn/Password which is what I expected.
> 
> I don't follow that, I would have to see what you're talking about.

In conf/authn/spnego-authn-config.xml to
shibboleth.authn.SPNEGO.ClassifiedMessageMap I added:
<entry key="InvalidPassword">
    <list>
        <value>InvalidCredentials</value>
        <value>INVALID_CREDENTIALS</value>
    </list>
</entry>

> An error like that should basically fail the whole login process. I don't know what "Same as authn/Password" means here since there's no form to display.

That flow, yes. But in the next flow we should show why we failed the
previous flow, IMO.

We have a SPNEGO button on our Password login page. If SPNEGO fails it
just returns to Password but shows the error message.

> > Is there a way to add the transition to the flow without editing a
> > system file?
> 
> No, but you don't need to. You can get InvalidCredentials as a message to signal ReselectFlow as an outcome, if you want. That's what the message maps do.

Sure, but then the user doesn't get any message on why (or even that)
RemoteUser failed which is what we want.

*Without* changing system/flows/authn/remoteuser-authn-flow.xml to add:
<transition on="InvalidSubjectCanonicalizationContext" to="ReselectFlow"
/> to the ValidateExternalAuthentication action state I get:
[…]
DEBUG [net.shibboleth.idp.authn.impl.RemoteUserAuthServlet:231] User identity extracted from REMOTE_USER: simlu/root at SU.SE
INFO [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:146] Profile Action ValidateExternalAuthentication: External authentication succeeded for user: simlu/root at SU.SE
INFO [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:209] Profile Action ValidateExternalAuthentication: Username did not match expression
WARN [org.opensaml.profile.action.impl.LogEvent:105] A non-proceed event occurred while processing the request: InvalidSubjectCanonicalizationContext
DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:179] Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.messaging.handler.impl.BasicMessageHandlerChain' on OUTBOUND message context
DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.ResponseImpl'
DEBUG [net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:100] Looking up message encoder based on binding URI: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
DEBUG [net.shibboleth.idp.profile.impl.RecordResponseComplete:89] Profile Action RecordResponseComplete: Record response complete

and the very exact but to the end user confusing SAML error page on the
SP.

With the configuration above we get fallback to Password and a friendly
notification that the login failed.

> > Well, it seems like they can be tamed to have an UI.
> 
> I don't follow that part, but one thing I did realize is that if the External flow involves some sort of system that itself has a UI, I could see the logic for having the username checking logic fail result in passing control *back* to the external system. I didn't see that originally, but I could see wanting to do that.

Since both RemoteUser and SPNEGO fall back to Password you can configure
the IDP to show the error messages of RemoteUser and SPNEGO on the
Password login page.

BR,
- Simon

More information about the users mailing list