issues with mfa
Aterea Brown
atbrown at aut.ac.nz
Tue Apr 9 18:30:21 EDT 2019
Hi,
This issues seems to have been covered before but the solutions dont seem to apply in this case.
We have implemented mfa and for most of the cases it works just fine.
We have an issue however a user logs in the flow evalutes SPNEGOActivation condition,
this returns true, so it tries SPNEGO, client signals a problem, SPNEGO results in ReSelectFlow,
transitionmap tells it to use authn/Password.
So it presents this to the user, user fills in the details and is logged in.
User goes to open another session mfa flow runs again (reuse for mfa flow set to false)
SPNEGOActivationCondition: true
SPNEGO: ReSelectFlow
authn/Passowrd: reuse previous result
mfa: returns ReslectFlow.
snippet from logs:
2019-04-10 10:25:21,407 - DEBUG - |snipped| [net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication:221] - Profile Action TransitionMultiFactorAuthentication: MFA flow transition after 'proceed' event to 'authn/SPNEGO' flow
2019-04-10 10:25:21,408 - DEBUG - |snipped| [net.shibboleth.idp.authn.spnego.impl.SPNEGOAutoLoginManager:97] - Auto-login has been disabled.
2019-04-10 10:25:21,763 - WARN - |snipped| [net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController:224] - SPNEGO authentication problem signaled by client
2019-04-10 10:25:21,823 - INFO - |snipped| [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:130] - Profile Action ValidateExternalAuthentication: External authentication produced error message: SPNEGONotAvailable
2019-04-10 10:25:21,824 - DEBUG - |snipped| [net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication:209] - Profile Action TransitionMultiFactorAuthentication: Applying MFA transition rule to exit state 'authn/SPNEGO'
2019-04-10 10:25:21,824 - DEBUG - |snipped| [net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication:221] - Profile Action TransitionMultiFactorAuthentication: MFA flow transition after 'ReselectFlow' event to 'authn/Password' flow
2019-04-10 10:25:21,824 - DEBUG - |snipped| [net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication:271] - Profile Action TransitionMultiFactorAuthentication: Reusing active result for 'authn/Password' flow
2019-04-10 10:25:21,825 - DEBUG - |snipped| [net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication:209] - Profile Action TransitionMultiFactorAuthentication: Applying MFA transition rule to exit state 'authn/Password'
2019-04-10 10:25:21,825 - DEBUG - |snipped| [net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication:226] - Profile Action TransitionMultiFactorAuthentication: MFA flow completing with event 'ReselectFlow'
2019-04-10 10:25:21,828 - INFO - |snipped| [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:138] - Profile Action SelectAuthenticationFlow: Moving incomplete flow authn/MFA to intermediate set
2019-04-10 10:25:21,828 - DEBUG - |snipped| [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:264] - Profile Action SelectAuthenticationFlow: No specific Principals requested
from this it would seem that the DefaultMergeStrategy only sees the result from SPNEGO attempt and isnt reusing the password flow.
Suggestions?
--
Aterea Brown, AUT University
Cybersecurity, ICT
Email: atbrown at aut.ac.nz Phone: 9219999 x 6523
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190409/d55b36f6/attachment.html>
More information about the users
mailing list