SOLVED: Re: SPNEGO and MFA - No potential flows left to choose from, canonicalization will fail

Martin Haase Martin.Haase at
Wed Oct 2 09:03:17 EDT 2019

Dear Scott,

thanks for your reply.

Just reporting what we did in the end: a) in mfa-auth config, we added a
function to also select the first factor - password vs spnego, if
available and within IP range. b) we located the place in the 3rd party
privacyIDEA Shibboleth IdP plugin code that incepts a UserPrincipal
where it is actually useless (it's the same as the input Principal's
username), and we just removed it. Thus we can use the Simple C14N
again, since we have exactly 1 Principal in the end.

This just works now.

Thanks for the great support!


Am 25.09.19 um 14:57 schrieb Cantor, Scott:
> It's hard to enable MFA and anything else unless they're completely
> distinct.
> The actual error though is a lack of appropriate/workable subject c14n
> for the final output of the MFA flow, so it's failing that step and
> falling into the next available login flow (SPNEGO) and for whatever
> reason that bails out quickly for the final failure.
> Simple c14n as a default behavior only succeeds when a single
> UsernamePrincipal is in the result. 0 or more than one will break it
> and require alternative configuration.
> You shouldn't have SPNEGO enabled as a second login flow when you're
> really trying to use the MFA flow to orchestrate it, and that's
> causing more problems and spurious behavior at the end.
> Anything deeper, you'd need to file a support ticket, I can't get into
> the depths on list.
> -- Scott
Dr. Martin Haase, Solutions Engineer

DAASI International GmbH        Europaplatz 3                   D-72072 Tübingen                Germany                    
phone: +49 7071 407109-0
fax:   +49 7071 407109-9  email: martin.haase at

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz

More information about the users mailing list