Authentication failed with my Password/SPNEGO MFA configuration
Wessel, Keith
kwessel at illinois.edu
Tue Nov 12 18:04:07 EST 2019
Hi, all,
I mentioned a few weeks back that I created an MFA flow that used SPNEGO and intelligently failed back to Password before proceeding to Duo if SPNEGO failed. Turns out that my configuration only worked when p:reuseCondition was set to true for the authn/MFA bean. When set to false, authentication worked for the first authentication of a browser session. Subsequent attempts result in the IdP reporting authentication failed and returning a failed SAML authn response to the SP.
For what it's worth, I'm including my MFA flow below. But I don't think that's the problem. We need to have reuseCondition set to false to make step-up authentication work, or at least that's the only way I can think of to make it work. Given that constraint, is there any way to make the below function properly? Or perhaps I should start with can anyone tell me why it might be failing? I'm wondering if the event coming out of the SPNEGO flow might be a proceed event on subsequent authentications for some reason, though I can't figure out why.
Any thoughts appreciated.
Keith
<util:map id="shibboleth.authn.MFA.TransitionMap">
<entry key="">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/SPNEGO" />
</entry>
<entry key="authn/SPNEGO">
<bean parent="shibboleth.authn.MFA.Transition">
<property name="nextFlowStrategyMap">
<map>
<entry key="proceed" value-ref="checkSecondFactor" />
<entry key="*" value="authn/Password" />
</map>
</property>
</bean>
</entry>
<entry key="authn/Password">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />
</entry>
</util:map>
More information about the users
mailing list