SOLVED: Re: SPNEGO and MFA - No potential flows left to choose from, canonicalization will fail
Martin Haase
Martin.Haase at DAASI.de
Wed Oct 2 09:03:17 EDT 2019
Dear Scott,
thanks for your reply.
Just reporting what we did in the end: a) in mfa-auth config, we added a
function to also select the first factor - password vs spnego, if
available and within IP range. b) we located the place in the 3rd party
privacyIDEA Shibboleth IdP plugin code that incepts a UserPrincipal
where it is actually useless (it's the same as the input Principal's
username), and we just removed it. Thus we can use the Simple C14N
again, since we have exactly 1 Principal in the end.
This just works now.
Thanks for the great support!
Martin
Am 25.09.19 um 14:57 schrieb Cantor, Scott:
> It's hard to enable MFA and anything else unless they're completely
> distinct.
>
> The actual error though is a lack of appropriate/workable subject c14n
> for the final output of the MFA flow, so it's failing that step and
> falling into the next available login flow (SPNEGO) and for whatever
> reason that bails out quickly for the final failure.
>
> Simple c14n as a default behavior only succeeds when a single
> UsernamePrincipal is in the result. 0 or more than one will break it
> and require alternative configuration.
>
> You shouldn't have SPNEGO enabled as a second login flow when you're
> really trying to use the MFA flow to orchestrate it, and that's
> causing more problems and spurious behavior at the end.
>
> Anything deeper, you'd need to file a support ticket, I can't get into
> the depths on list.
>
> -- Scott
>
>
--
Dr. Martin Haase, Solutions Engineer
DAASI International GmbH Europaplatz 3 D-72072 Tübingen Germany
phone: +49 7071 407109-0
fax: +49 7071 407109-9 email: martin.haase at daasi.de
web: www.daasi.de
Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz
More information about the users
mailing list