How to terminate MFA flow with an error?

Andrew Morgan morgan at orst.edu
Tue Jan 8 01:47:13 EST 2019


On Mon, 7 Jan 2019, Andrew Morgan wrote:

> I'm trying to terminate the MFA flow with an error and display a page to the 
> user, similar to this old thread, when the SP requires Duo but the user 
> hasn't enrolled yet.
>
> I set the event in conf/authn/mfa-authn-config.xml inside the 
> "heckSecondFactor" script:
>
>  mfaCtx.setEvent('DuoRequired');
>  nextFlow = null;
>
> I added states and transitions to conf/authn/authn-events-flow.xml:
>
>    <end-state id="DuoRequired" />
>
>    <global-transitions>
>        <transition on="DuoRequired" to="DuoRequired" />
>        <transition on="#{!'proceed'.equals(currentEvent.id)}" 
> to="InvalidEvent" />
>    </global-transitions>
>
> I added some messages for this to messages/messages.properties:
>
> # Duo messages
> DuoRequired = duo-required
> duo-required.title = Duo Authentication Required
> duo-required.message = You must sign-up for Duo 2-Step authentication to 
> proceed.
>
> For CAS authentication, when I authenticate as a user without Duo for an SP 
> that requires Duo, I get the error.vm view with my messages.  Yay!
>
> For SAML authentication, a SAML response is generated with an error code:
>
>  <saml2p:Status>
>    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" 
> />
>    <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
>  </saml2p:Status>
>
> How can I get the SAML authentication to present an error page to the user at 
> the IDP?  Do I have to create an intercept?

After further researching, I stumbled across this comment on the 
ContextCheckInterceptConfiguration wiki page:

"If you want to support one or more custom events, you'll need to add the 
event(s) to conf/intercept/intercept-events-flow.xml. The default file 
includes a commented example for an event called "MyCustomEvent". Then 
you'll need to add that event in conf/errors.xml if you want it handled 
with a local error page."

Will creating an entry in the shibboleth.LocalEventMap list in errors.xml 
for DuoRequired cause the error.vm view to be used instead of a SAML 
response?

Thanks,
 	Andy


More information about the users mailing list