Authentication failed with my Password/SPNEGO MFA configuration

Wessel, Keith kwessel at illinois.edu
Wed Nov 13 11:04:58 EST 2019 

Thanks, Scott. Didn't even think about triggering the events to run a subflow within the MFA framework. That makes perfect sense.

I'd offer to file a bug on this issue, but I'm not even sure how to describe it. It sounds like you've got it covered, though. If there's a scriptable solution or workaround, I'd be eager to know when you find out.

Thanks again,
Keith


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Wednesday, November 13, 2019 9:56 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Authentication failed with my Password/SPNEGO MFA configuration

On 11/13/19, 10:42 AM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

> Is there a way to get it to show up as an extended flow listed in the password authn config without also listing it as an 
> active flow?

That extended flows thing is deprecated without being officially planned for removal yet. If not for the bug here, the answer would to be avoid it, and not use the existing Password/SPNEGO stuff, you should script all that from the MFA flow. Buttons can trigger events, and the MFA rules can respond to events, etc. That's all doable without any of the older features. The problem is the handling of the failure right now.
 
> Regardless, we still do need it as part of our MFA flow as we don't want folks getting in on SPNEGO alone without Duo.
> It sounds like I hope no hope of that until this bug is addressed. Is that correct?

Until I know what's really going on I can't really even envision what would work as a fix. Perhaps some kind of dummy subflow to run just to clear the state of the system, so that could be run as a consequence of the failure event from SPNEGO. I think it might be fixable just with a script, but I have to see it first.

-- Scott


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list