Authentication failed with my Password/SPNEGO MFA configuration

[Wessel, Keith]

Hi, Scott,

The resue of the component flow results was what I suspected, but I've tinkered with that and still haven't gotten anywhere. Furthermore, it makes no sense to me why that's an issue for authn requests against existing IdP sessions but not for newly created ones. After all, before adding SPNEGO to the mix (before, I just had authn/Password leading to the checkSecondFactor bean), this was working fine for subsequent logins.

The log isn't helping me, but maybe it'll give you or someone else a clue. For some reason, the authn/Password flow isn't leading to a cached result on the Duo flow. In fact, it doesn't even seem to be running the Duo flow which tells me my checkSecondFactor bean may or may not be getting called at all. But that bean and included script is identical with and without the SPNEGO piece added in.

Any thoughts?

Thanks,
Keith
2019-11-13 08:35:11,103 - DEBUG [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:221] - Profile Action PopulateAuthenticationContext: Installed 2 potential authentication flows into AuthenticationContext - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,204 - DEBUG [net.shibboleth.idp.authn.impl.InitializeRequestedPrincipalContext:152] - Profile Action InitializeRequestedPrincipalContext: Profile configuration did not supply any default authentication methods - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,205 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByForcedAuthn:53] - Profile Action FilterFlowsByForcedAuthn: Request does not have forced authentication requirement, nothing to do - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,206 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:53] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,211 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:264] - Profile Action SelectAuthenticationFlow: No specific Principals requested - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,212 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:309] - Profile Action SelectAuthenticationFlow: No usable active results available, selecting an inactive flow - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,212 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:363] - Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/SPNEGO - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,214 - INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:138] - Profile Action SelectAuthenticationFlow: Moving incomplete flow authn/SPNEGO to intermediate set - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,215 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:264] - Profile Action SelectAuthenticationFlow: No specific Principals requested - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,215 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:309] - Profile Action SelectAuthenticationFlow: No usable active results available, selecting an inactive flow - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,215 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:363] - Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/MFA - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,222 - DEBUG [net.shibboleth.idp.authn.impl.PopulateMultiFactorAuthenticationContext:164] - Profile Action PopulateMultiFactorAuthenticationContext: 2 active result(s) extracted for possible reuse - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,229 - DEBUG [net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication:207] - Profile Action TransitionMultiFactorAuthentication: Applying MFA transition rule to determine initial state - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,230 - DEBUG [net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication:221] - Profile Action TransitionMultiFactorAuthentication: MFA flow transition after 'proceed' event to 'authn/SPNEGO' flow - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,231 - DEBUG [net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication:209] - Profile Action TransitionMultiFactorAuthentication: Applying MFA transition rule to exit state 'authn/SPNEGO' - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,231 - DEBUG [net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication:221] - Profile Action TransitionMultiFactorAuthentication: MFA flow transition after 'ReselectFlow' event to 'authn/Password' flow - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,232 - DEBUG [net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication:271] - Profile Action TransitionMultiFactorAuthentication: Reusing active result for 'authn/Password' flow - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,232 - DEBUG [net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication:209] - Profile Action TransitionMultiFactorAuthentication: Applying MFA transition rule to exit state 'authn/Password' - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,234 - DEBUG [net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication:226] - Profile Action TransitionMultiFactorAuthentication: MFA flow completing with event 'ReselectFlow' - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,237 - INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:138] - Profile Action SelectAuthenticationFlow: Moving incomplete flow authn/MFA to intermediate set - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,237 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:264] - Profile Action SelectAuthenticationFlow: No specific Principals requested - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,238 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:309] - Profile Action SelectAuthenticationFlow: No usable active results available, selecting an inactive flow - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]
2019-11-13 08:35:11,238 - INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:313] - Profile Action SelectAuthenticationFlow: No potential flows left to choose from, authentication failed - [session=node0884dne262pwm1mlj0fi6yk63c4] [ip=10.193.6.152]

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Tuesday, November 12, 2019 5:12 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Authentication failed with my Password/SPNEGO MFA configuration

On 11/12/19, 6:04 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

> I'm wondering if the event coming out of the SPNEGO flow might be a proceed event on subsequent authentications for
> some reason, though I can't figure out why.

I can't really diagnose anything without evidence of what the failure is in response to, but I would assume it's probably doing that. Not reusing the MFA result doesn't prevent the subflows its running from being reused. The active subresults are unpacked and saved off and may be reused any time those flows are run by the MFA rules, so a previous SPNEGO result would be potentially reused when you "run" it, as would Password.

If things are failing, usually its because of a screwed up set of supportedPrincipals in the relevant places and an MFA script that's not taking into consideration what the end result its producing actually supports.

The examples that run the isAcceptable() checks show how to prevent a second factor from running when it's not needed, but that doesn't prevent a final result from being unacceptable if the final result just doesn't satisfy the request.

-- Scott


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net