Authentication failed with my Password/SPNEGO MFA configuration

[Wessel, Keith]

Thanks, Scott. I actually didn't want to run SPNEGO outside of MFA at all, but I couldn't get the flow to show up as a button on my login.vm without enabling the flow in idp.properties.

Is there a way to get it to show up as an extended flow listed in the password authn config without also listing it as an active flow?

Regardless, we still do need it as part of our MFA flow as we don't want folks getting in on SPNEGO alone without Duo. It sounds like I hope no hope of that until this bug is addressed. Is that correct?

Thanks,
Keith


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Wednesday, November 13, 2019 9:35 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Authentication failed with my Password/SPNEGO MFA configuration

On 11/13/19, 10:25 AM, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:

> But...if you wanted to keep it all inside MFA (and you'd need to stop 
> enabling SPNEGO by itself to do that), the bug fix I think you would need is to insert a scripting step that handles the failure from SPNEGO and overwrites a field to clear it.

Actually, I don't think that will work around it, I think the bug runs deeper and the event it's returning is probably an actual event from elsewhere in the state of the request, not that particular slot.

I'll file a bug but I'll have to come up with some reproduction strategy for it to be sure I'm understanding what's wrong.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net