Authentication failed with my Password/SPNEGO MFA configuration

Losen, Stephen C (scl) scl at virginia.edu
Wed Nov 13 12:41:29 EST 2019 

Hi,
I don't know if this applies or not, but we are using a button in login.vm to let the user select a x509 client certificate login instead of username/password. The client cert stuff is handled by our F5 load balancer and we are using RemoteUser to fetch the username from a HTTP header passed by the F5. But that's not really the point here. The button on our login.vm causes the Password flow to return with a custom event (UseCert). In our MFA config, if Password returns this event, then MFA launches RemoteUser. If Password returns "proceed" or RemoteUser returns "proceed" then MFA launches Duo. So the user sees the login page and can either enter username/password or click the "Use Cert" button.  If either succeeds, then they go to Duo. Perhaps you could have a similar button for SPNEGO, which I know nothing about, so this approach may not work. By the way, MFA is the only flow enabled in our idp.properties.

Steve Losen
Research Computing
University of Virginia
scl at virginia.edu   434-924-0640

On 11/13/19, 10:42 AM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

    Thanks, Scott. I actually didn't want to run SPNEGO outside of MFA at all, but I couldn't get the flow to show up as a button on my login.vm without enabling the flow in idp.properties.
    
    Is there a way to get it to show up as an extended flow listed in the password authn config without also listing it as an active flow?
    
    Regardless, we still do need it as part of our MFA flow as we don't want folks getting in on SPNEGO alone without Duo. It sounds like I hope no hope of that until this bug is addressed. Is that correct?
    
    Thanks,
    Keith
    
    
    -----Original Message-----
    From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
    Sent: Wednesday, November 13, 2019 9:35 AM
    To: Shib Users <users at shibboleth.net>
    Subject: Re: Authentication failed with my Password/SPNEGO MFA configuration
    
    On 11/13/19, 10:25 AM, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:
    
    > But...if you wanted to keep it all inside MFA (and you'd need to stop 
    > enabling SPNEGO by itself to do that), the bug fix I think you would need is to insert a scripting step that handles the failure from SPNEGO and overwrites a field to clear it.
    
    Actually, I don't think that will work around it, I think the bug runs deeper and the event it's returning is probably an actual event from elsewhere in the state of the request, not that particular slot.
    
    I'll file a bug but I'll have to come up with some reproduction strategy for it to be sure I'm understanding what's wrong.
    
    -- Scott
    
    
    --
    For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
    -- 
    For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list