InvalidNameIDPolicy occurs when using multi-factor authentication

Noriyuki TAKEI ntakei at sios.com
Mon Feb 4 01:47:07 EST 2019 

Sorry, I have sent you an unfinished email.

> Principal identifies a user.A user may have many principals such as mail
address,SNS account and so on.
> When not using MFA,principal can be defined automatically.When using X509
process alone,
> principal defines common name of certificates.

When using MFA,principal can not be defined automatically,
it's because MFA has many flows which has a principal.
So we have to write definitely  what a principal is in MFA Script.

2019年2月4日(月) 15:22 Noriyuki TAKEI <ntakei at sios.com>:

> Hi,Nate.
>
> Thanks for your quick reply.
>
> I'm sorry for not understanding "principal" well.
>
> My guess that what "Principal" means is as follows.
>
> Principal identifies a user.A user may have many principals such as mail
> address,SNS account and so on.
> When not using MFA,principal can be defined automatically.When using X509
> process alone,
> principal defines common name of certificates.
>
> Is that correct?
>
> if that's correct,how can I define principal in MFA script?
>
> 2019年2月4日(月) 8:36 Nate Klingenstein <ndk at signet.id>:
>
>> Noriyuki,
>>
>> It's not the principal type that's the problem.  It's the actual
>> principal name that you're getting out of the authentication process.  It's
>> probably different for MFA or Password, and the principal name that you get
>> out of MFA process is probably different than the principal name that
>> you're getting out of the Password process alone.  This depends totally on
>> how you wrote the MFA script.  I believe the log should clearly show the
>> principal name that it's using for both LDAP queries, and the Password one
>> successfully matches an ImmutableID, and the MFA one doesn't.
>>
>> Hope this helps,
>> Nate.
>> --
>> For Consortium Member technical support, see
>> https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190204/07948443/attachment.html>

More information about the users mailing list