Authentication failed with my Password/SPNEGO MFA configuration

Wessel, Keith kwessel at
Tue Nov 12 18:04:07 EST 2019

Hi, all,

I mentioned a few weeks back that I created an MFA flow that used SPNEGO and intelligently failed back to Password before proceeding to Duo if SPNEGO failed. Turns out that my configuration only worked when p:reuseCondition was set to true for the authn/MFA bean. When set to false, authentication worked for the first authentication of a browser session. Subsequent attempts result in the IdP reporting authentication failed and returning a failed SAML authn response to the SP.

For what it's worth, I'm including my MFA flow below. But I don't think that's the problem. We need to have reuseCondition set to false to make step-up authentication work, or at least that's the only way I can think of to make it work. Given that constraint, is there any way to make the below function properly? Or perhaps I should start with can anyone tell me why it might be failing? I'm wondering if the event coming out of the SPNEGO flow might be a proceed event on subsequent authentications for some reason, though I can't figure out why.

Any thoughts appreciated.


    <util:map id="shibboleth.authn.MFA.TransitionMap">
        <entry key="">
            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/SPNEGO" />

        <entry key="authn/SPNEGO">
            <bean parent="shibboleth.authn.MFA.Transition">
                <property name="nextFlowStrategyMap">
                        <entry key="proceed" value-ref="checkSecondFactor" />
                        <entry key="*" value="authn/Password" />

        <entry key="authn/Password">
            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />

More information about the users mailing list