Authentication failed with my Password/SPNEGO MFA configuration

[Cantor, Scott]

On 11/12/19, 6:04 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

> I'm wondering if the event coming out of the SPNEGO flow might be a proceed event on subsequent authentications for
> some reason, though I can't figure out why.

I can't really diagnose anything without evidence of what the failure is in response to, but I would assume it's probably doing that. Not reusing the MFA result doesn't prevent the subflows its running from being reused. The active subresults are unpacked and saved off and may be reused any time those flows are run by the MFA rules, so a previous SPNEGO result would be potentially reused when you "run" it, as would Password.

If things are failing, usually its because of a screwed up set of supportedPrincipals in the relevant places and an MFA script that's not taking into consideration what the end result its producing actually supports.

The examples that run the isAcceptable() checks show how to prevent a second factor from running when it's not needed, but that doesn't prevent a final result from being unacceptable if the final result just doesn't satisfy the request.

-- Scott