How to terminate MFA flow with an error?
Andrew Morgan
morgan at orst.edu
Tue Jan 8 01:47:13 EST 2019
On Mon, 7 Jan 2019, Andrew Morgan wrote:
> I'm trying to terminate the MFA flow with an error and display a page to the
> user, similar to this old thread, when the SP requires Duo but the user
> hasn't enrolled yet.
>
> I set the event in conf/authn/mfa-authn-config.xml inside the
> "heckSecondFactor" script:
>
> mfaCtx.setEvent('DuoRequired');
> nextFlow = null;
>
> I added states and transitions to conf/authn/authn-events-flow.xml:
>
> <end-state id="DuoRequired" />
>
> <global-transitions>
> <transition on="DuoRequired" to="DuoRequired" />
> <transition on="#{!'proceed'.equals(currentEvent.id)}"
> to="InvalidEvent" />
> </global-transitions>
>
> I added some messages for this to messages/messages.properties:
>
> # Duo messages
> DuoRequired = duo-required
> duo-required.title = Duo Authentication Required
> duo-required.message = You must sign-up for Duo 2-Step authentication to
> proceed.
>
> For CAS authentication, when I authenticate as a user without Duo for an SP
> that requires Duo, I get the error.vm view with my messages. Yay!
>
> For SAML authentication, a SAML response is generated with an error code:
>
> <saml2p:Status>
> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"
> />
> <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
> </saml2p:Status>
>
> How can I get the SAML authentication to present an error page to the user at
> the IDP? Do I have to create an intercept?
After further researching, I stumbled across this comment on the
ContextCheckInterceptConfiguration wiki page:
"If you want to support one or more custom events, you'll need to add the
event(s) to conf/intercept/intercept-events-flow.xml. The default file
includes a commented example for an event called "MyCustomEvent". Then
you'll need to add that event in conf/errors.xml if you want it handled
with a local error page."
Will creating an entry in the shibboleth.LocalEventMap list in errors.xml
for DuoRequired cause the error.vm view to be used instead of a SAML
response?
Thanks,
Andy
More information about the users
mailing list