How to Choose between two authentication methods

Losen, Stephen C (scl) scl at
Fri Sep 28 07:36:00 EDT 2018

Hi Giovanni,

I am doing the same thing (password or cert) and I am using authn/MFA (multi-factor) because I am using Duo as a second factor. But the MFA flow also controls the password and cert logic.

My views/login.vm has this button for cert login:

<button class="form-element form-button" type="submit" name="_eventId_useCert">Log In With Cert</button>

The string "_eventId_useCert" was a lucky guess.  I saw the string "_eventID_proceed" elsewhere in login.vm.

I defined a "useCert" custom event in conf/authn/authn-events-flow.xml

    <end-state id="useCert" />

        <transition on="useCert" to="useCert" />

So when the user clicks the "Log In With Cert" button, the authn/Password flow triggers the "useCert" event.  If the user enters a valid username/password, then the "proceed" event is triggered.  If the username/password is incorrect, then the authn/Password flow shows the login form again with an error message.

In conf/authn/mfa-authn-config.xml I have set authn/Password to be the first flow.

        <entry key="">
            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" />

When authn/Password finishes, I get a "proceed" or a "useCert" event.

       <entry key="authn/Password">
            <bean parent="shibboleth.authn.MFA.Transition">
                <property name="nextFlowStrategyMap">
                        <!-- Maps event to a flow -->
                        <entry key="proceed" value-ref="checkSecondFactor" />
                        <entry key="useCert" value="authn/RemoteUser" />

I am using authn/RemoteUser for my X509 login. You could try using authn/X509 instead, but it may not work like you hope.  Read the documentation carefully.  Since I am also using Duo, "checkSecondFactor" refers to a script that decides if Duo should be run.  If you are not using Duo, then a "nextFlowStrategyMap" may not be what you need.  Or else maybe you can replace value-ref="checkSecondFactor" with value="". I think a null string causes MFA to terminate.  Check the MFA documentation.

I am using RemoteUser for X509 because I have a F5 BigIP in front of the IDP.  The F5 terminates SSL and proxies to the IDP (non-SSL port 8080). I cannot use authn/X509 because the IDP itself does not run SSL.  I have configured the F5 to renegotiate SSL and require a client cert for the /idp/Authn/RemoteUser endpoint (wrote a F5 iRule).  You could do something similar with Apache httpd as the front end.  When the authn/RemoteUser flow redirects the browser to /idp/Authn/RemoteUser the F5 renegotiates SSL, requires a client cert, extracts the username from the cert, and passes it to the IDP in a HTTP header.  I configured authn/RemoteUser to retrieve the HTTP header in edit-webapp/WEB-INF/web.xml .

At any rate, if authn/RemoteUser is successful, then I run "checkSecondFactor".

        <entry key="authn/RemoteUser">
            <bean parent="shibboleth.authn.MFA.Transition">
                <property name="nextFlowStrategyMap">
                        <!-- Maps event to a flow -->
                        <entry key="proceed" value-ref="checkSecondFactor" />
                        <entry key="ReselectFlow" value="authn/Password" />

I don't remember exactly what causes a "ReslectFlow" event, but I think it puts up an error message saying something like "no more flows" and login fails.  This is bad if the user clicks the "Log In With Cert" button by mistake.  So this config causes the IDP display the login page again so the user can enter username/password.

By no means am I an expert on Spring flows and their configuration syntax.  I have relied heavily on the documentation and examples in the Shibboleth IDP wiki pages and a lot of trial and error.

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at    434-924-0640

-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of graschi
Sent: Friday, September 28, 2018 3:44 AM
To: users at
Subject: How to Choose between two authentication methods

I am porting an idp 2.2.0 server to version 3.3.3.
In the login form our users can type a username and a password OR click on a
button for a login with certificate: 
'speaking' in version 3, they can choose between authn/Password and
How can I translate this authentication page in the new version ?
I tried to replicate the behaviour of the old idp, merging manually the
login.vm view with x509-prompt.jsp.
But I met several problems and I think it isn't the main road.
What is the best practice for a page that give the choice between two (or
more) authentication method ?
                giovanni raschi

Sent from:
For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list