Why is Password flow selecting Basic Authentication

Robert Duncan Robert.Duncan at ncirl.ie
Thu Mar 29 06:21:55 EDT 2018 

What would cause my idp 3.2 to default to basic authentication for all SP's?

This began after trying to enable ldap authentication in Apache to the ECP profile, following instructions here:
https://wiki.shibboleth.net/confluence/display/IDP30/IDP3+ECP+with+Tomcat+and+Apache-Managed+Authentication

2018-03-29 09:30:57,209 - DEBUG [org.opensaml.saml.common.profile.impl.PopulateSignatureSigningParameters:237] - Profile Action PopulateSignatureSigningParameters: Resolved SignatureSigningParameters
2018-03-29 09:30:57,212 - DEBUG [org.opensaml.saml.common.profile.impl.PopulateSignatureSigningParameters:187] - Profile Action PopulateSignatureSigningParameters: Signing not enabled
2018-03-29 09:30:57,216 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:305] - Profile Action PopulateEncryptionParameters: Encryption for assertions (true), identifiers (false), attributes(false)
2018-03-29 09:30:57,217 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:315] - Profile Action PopulateEncryptionParameters: Resolving EncryptionParameters for request
2018-03-29 09:30:57,217 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:380] - Profile Action PopulateEncryptionParameters: Adding entityID to resolution criteria
2018-03-29 09:30:57,217 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:391] - Profile Action PopulateEncryptionParameters: Adding role metadata to resolution criteria
2018-03-29 09:30:57,217 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:259] - Resolving credentials from supplied RoleDescriptor using usage: ENCRYPTION.  Effective entityID was: https://e5.onthehub.com
2018-03-29 09:30:57,218 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:351] - Resolved cached credentials from KeyDescriptor object metadata
2018-03-29 09:30:57,218 - DEBUG [org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver:395] - Could not resolve data encryption algorithm based on SAML metadata, falling back to locally configured algorithms
2018-03-29 09:30:57,218 - DEBUG [org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver:351] - Could not resolve key transport algorithm based on SAML metadata, falling back to locally configured algorithms
2018-03-29 09:30:57,219 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.PopulateEncryptionParameters:331] - Profile Action PopulateEncryptionParameters: Resolved EncryptionParameters
2018-03-29 09:30:57,233 - DEBUG [net.shibboleth.idp.saml.profile.impl.ExtractSubjectFromRequest:144] - Profile Action ExtractSubjectFromRequest: No Subject NameID/NameIdentifier in message needs inbound processing
2018-03-29 09:30:57,233 - DEBUG [org.opensaml.saml.common.profile.impl.VerifyChannelBindings:154] - Profile Action VerifyChannelBindings: No channel bindings found to verify, nothing to do
2018-03-29 09:30:57,246 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeAuthenticationContext:115] - Profile Action InitializeAuthenticationContext: Created authentication context: AuthenticationContext{initiationInstant=2018-03-29T09:30:57.245Z, isPassive=false, forceAuthn=false, hintedName=null, potentialFlows=[], activeResults=[], attemptedFlow=null, signaledFlowId=null, authenticationStateMap={}, resultCacheable=true, initialAuthenticationResult=null, authenticationResult=null, completionInstant=1970-01-01T00:00:00.000Z}
2018-03-29 09:30:57,255 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.ProcessRequestedAuthnContext:174] - Profile Action ProcessRequestedAuthnContext: AuthnRequest did not contain a RequestedAuthnContext, nothing to do
2018-03-29 09:30:57,261 - DEBUG [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:200] - Profile Action PopulateAuthenticationContext: Installed 1 potential authentication flows into AuthenticationContext
2018-03-29 09:30:57,266 - DEBUG [net.shibboleth.idp.session.impl.PopulateSessionContext:133] - Profile Action PopulateSessionContext: No session found for client
2018-03-29 09:30:57,276 - DEBUG [net.shibboleth.idp.authn.impl.InitializeRequestedPrincipalContext:152] - Profile Action InitializeRequestedPrincipalContext: Profile configuration did not supply any default authentication methods
2018-03-29 09:30:57,276 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByForcedAuthn:53] - Profile Action FilterFlowsByForcedAuthn: Request does not have forced authentication requirement, nothing to do
2018-03-29 09:30:57,276 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:53] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do
2018-03-29 09:30:57,281 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:255] - Profile Action SelectAuthenticationFlow: No specific Principals requested
2018-03-29 09:30:57,281 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:290] - Profile Action SelectAuthenticationFlow: No usable active results available, selecting an inactive flow
2018-03-29 09:30:57,281 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:338] - Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/Password
2018-03-29 09:30:57,303 - DEBUG [net.shibboleth.idp.authn.impl.ExtractUsernamePasswordFromBasicAuth:115] - Profile Action ExtractUsernamePasswordFromBasicAuth: No appropriate Authorization header found

I have since disabled the Apache location for ECP - shouldn't really matter, looks like Shib is selecting remote user from the container as the authentication flow?

#############
Apache :

<IfModule headers_module>
  Header set X-Frame-Options DENY
  Header set Strict-Transport-Security "max-age=31536000 ; includeSubDomains"
</IfModule>


<Proxy ajp://localhost:8009>
  Require all granted
</Proxy>

ProxyPass /idp ajp://localhost:8009/idp retry=5
ProxyPassReverse /idp ajp://localhost:8009/idp retry=5


#############
Tomcat 7
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" address="127.0.0.1" enableLookups="false"/>


#############
Idp.properties

idp.encryption.optional = true

idp.session.enabled = true

idp.session.StorageService = shibboleth.ClientSessionStorageService

idp.session.idSize = 32
idp.session.timeout = PT60M
idp.session.slop = PT0S
idp.session.maskStorageFailure = true
idp.session.trackSPSessions = true
idp.session.secondaryServiceIndex = true
idp.session.defaultSPlifetime = PT2H

idp.authn.flows= Password

#########################

General-authn.xml

    <util:list id="shibboleth.AvailableAuthenticationFlows">

         <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:forcedAuthenticationSupported="true" />

########################

Password-authn-config.xml

<import resource="ldap-authn-config.xml" />


#######################
Web.xml (didn't edit)

<!-- Uncomment if you want BASIC auth managed by the container. -->
    <!--
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Web Login Service</realm-name>
    </login-config>
    -->




Thanks,
Rob.
________________________________

The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of National College of Ireland. Any views or opinions presented are solely those of the author and do not necessarily represent those of National College of Ireland. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance.
________________________________

More information about the users mailing list