MFA with Extended Flow

Ben Savage ben.savage at deakin.edu.au
Wed May 22 02:40:22 EDT 2019 

Hi All,

I'm currently working on setting up Duo with Shibboleth using Authentication flows in IdP 3.4. So far it works just fine with our original password flow, with the exception of when I use SPNEGO, which in our setup is an Extended Flow of Password.

When SPNEGO is attempted, I get the following error:
Uncaught Exception: A software error was encountered that prevents normal operation:
org.springframework.binding.expression.EvaluationException: An ELException occurred getting the value for expression 'opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.authn.context.AuthenticationContext)).getAttemptedFlow().getId()' on context [class org.springframework.webflow.engine.impl.RequestControlContextImpl]

More specifically from the idp-process.log:
2019-05-22 11:06:37,552 - 10.X.X.X - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
org.springframework.binding.expression.EvaluationException: An ELException occurred getting the value for expression 'opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.authn.context.AuthenticationContext)).getAttemptedFlow().getId()' on context [class org.springframework.webflow.engine.impl.RequestControlContextImpl]
        at org.springframework.binding.expression.spel.SpringELExpression.getValue(SpringELExpression.java:94)
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1011E: Method call: Attempted to call method getId() on null context object
        at org.springframework.expression.spel.ast.MethodReference.throwIfNotNullSafe(MethodReference.java:149)
2019-05-22 11:06:37,554 - 10.X.X.X - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: RuntimeException

Our implementation of SPNEGO seems to differ from other authn/MFA configs I've seen which offer multiple forms of authentication, because the decision to use SPNEGO is made by the user after the password flow has begun (rather than enforced beforehand).
However, from my understanding as we're using an extended flow, this shouldn't raise too much of a problem as the Password flow is what should return any responses, passed through from SPNEGO as necessary.
>From searching, I've variously added principals and re-ordered flows in authn/general-authn.xml, but to no avail (and so reverted to our original ordering).

authn/general-authn.xml:
...
        <bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow"
                p:nonBrowserSupported="false">
            <property name="supportedPrincipals">
                <list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" />
                    <bean parent="shibboleth.SAML1AuthenticationMethod"
                        c:method="urn:ietf:rfc:1510" />
                </list>
            </property>
        </bean>

        <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:forcedAuthenticationSupported="true" />

        <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
                p:forcedAuthenticationSupported="true"
                p:nonBrowserSupported="false">
            <!--
            The list below should be changed to reflect whatever locally- or
            community-defined values are appropriate to represent MFA. It is
            strongly advised that the value not be specific to Duo or any
            particular technology.
            -->
            <property name="supportedPrincipals">
                <list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="http://example.org/ac/classes/mfa"<http://example.org/ac/classes/mfa> />
                    <bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="http://example.org/ac/classes/mfa"<http://example.org/ac/classes/mfa> />
                </list>
            </property>
        </bean>

        <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:forcedAuthenticationSupported="true">
            <!--
            The list below almost certainly requires changes, and should generally be the
            union of any of the separate factors you combine in your particular MFA flow
            rules. The example corresponds to the example in mfa-authn-config.xml that
            combines IPAddress with Password.
            -->
            <property name="supportedPrincipals">
                <list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Duo" />
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
                    <bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
                </list>
            </property>
        </bean>
...


mfa-authn-config.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"<http://www.springframework.org/schema/beans>
xmlns:context="http://www.springframework.org/schema/context"<http://www.springframework.org/schema/context>
xmlns:util="http://www.springframework.org/schema/util"<http://www.springframework.org/schema/util>
       xmlns:p="http://www.springframework.org/schema/p"<http://www.springframework.org/schema/p>
       xmlns:c="http://www.springframework.org/schema/c"<http://www.springframework.org/schema/c>
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"<http://www.w3.org/2001/XMLSchema-instance>
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

       default-init-method="initialize"
       default-destroy-method="destroy">

    <util:map id="shibboleth.authn.MFA.TransitionMap">
        <!-- First rule runs the Password login flow. -->
        <entry key="">
            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" />
        </entry>
        <entry key="authn/Password">
            <!-- run the Duo flow after password auth suceeds -->
            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Duo" />
        </entry>
        <!-- An implicit final rule will return whatever the final flow returns. -->
    </util:map>

</beans>


Extended flow section of authn/password-authn-config.xml
    <bean id="shibboleth.authn.Password.ExtendedFlows" class="java.lang.String" c:_0="SPNEGO" />

    <util:list id="shibboleth.authn.Password.ExtendedFlowParameters">
<value>_shib_idp_SPNEGO_enable_autologin</value>
    </util:list>

Regards,
Ben

--
Ben Savage
Systems Administrator, DeS Systems Unit
eSolutions

Deakin University
Geelong Waterfront Campus, 1 Gheringhap Street, Geelong, VIC 3220
Phone: +61 3 522 78118
ben.savage at deakin.edu.au<mailto:ben.savage at deakin.edu.au>
www.deakin.edu.au<http://www.deakin.edu.au>
Deakin University CRICOS Provider Code 00113B

Important Notice: The contents of this email are intended solely for the named addressee and are confidential; any unauthorised use, reproduction or storage of the contents is expressly prohibited. If you have received this email in error, please delete it and any attachments immediately and advise the sender by return email or telephone.

Deakin University does not warrant that this email and any attachments are error or virus free.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190522/39b6a681/attachment.html>

More information about the users mailing list