SSO between Custom Auth Flow Problems

Trea25 trea25 at hotmail.com
Tue Apr 21 11:41:10 EDT 2020 

Hi

I have some problems with configuration of multiple Authflows at the same
IDP. I create a custom Password auth flow named PasswordExt. 

idp.authn.flows= PasswordExt|X509|Password

<bean parent="RelyingPartyByName" c:relyingPartyIds="SP1">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:encryptAssertions="false"
p:authenticationFlows="#{{'PasswordExt','X509'}}"/>
                </list>
            </property>
        </bean>

		<bean parent="RelyingPartyByName" c:relyingPartyIds="SP2">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:encryptAssertions="false"
p:authenticationFlows="#{{'Password','X509'}}"/>
                </list>
            </property>
        </bean>

This works find and I can authenticate against both flows but SSO is failing
between them. When I authenticate with one of them and try to acces to the
other, IDP asks me for user and password.

I search on AuthenticationFlowSelection documentation, modify
supportedPrincipals on general-authn, use  AuthnComparisonRules...  but I
can't see where is the problem.

Logs:

2020-04-21 17:23:01,082 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.saml.profile.impl.InitializeAuthenticationContext:138] -
Profile Action InitializeAuthenticationContext: Created authentication
context:
AuthenticationContext{initiationInstant=2020-04-21T17:23:01.082+02:00,
isPassive=false, forceAuthn=false, hintedName=null, maxAge=0,
potentialFlows=[], activeResults=[], attemptedFlow=null,
signaledFlowId=null, authenticationStateMap={}, resultCacheable=true,
initialAuthenticationResult=null, authenticationResult=null,
completionInstant=1970-01-01T01:00:00.000+01:00}
2020-04-21 17:23:01,083 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.saml.saml2.profile.impl.ProcessRequestedAuthnContext:174]
- Profile Action ProcessRequestedAuthnContext: AuthnRequest did not contain
a RequestedAuthnContext, nothing to do
2020-04-21 17:23:01,083 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:203] - Profile
Action PopulateAuthenticationContext: Filtered out authentication flow
authn/PasswordExt due to profile configuration
2020-04-21 17:23:01,084 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:221] - Profile
Action PopulateAuthenticationContext: Installed 2 potential authentication
flows into AuthenticationContext
2020-04-21 17:23:01,084 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.session.impl.StorageBackedSessionManager:798] -
Performing primary lookup on session ID
860fe8851656eaf2829ee565273c76fa24d494cb7cd38084ee4391976f9ad0b6
2020-04-21 17:23:01,085 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.session.impl.StorageBackedIdPSession:90] - Updating
expiration of master record for session
860fe8851656eaf2829ee565273c76fa24d494cb7cd38084ee4391976f9ad0b6 to
2020-04-21T18:23:01.085+02:00
2020-04-21 17:23:01,086 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.session.impl.StorageBackedIdPSession:536] - Loading
AuthenticationResult for flow authn/PasswordExt in session
860fe8851656eaf2829ee565273c76fa24d494cb7cd38084ee4391976f9ad0b6
2020-04-21 17:23:01,087 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.session.impl.ExtractActiveAuthenticationResults:121] -
Profile Action ExtractActiveAuthenticationResults: Authentication result
authn/PasswordExt has no corresponding flow descriptor, considering inactive
2020-04-21 17:23:01,087 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.session.impl.ExtractActiveAuthenticationResults:143] -
Profile Action ExtractActiveAuthenticationResults: No active authentication
results, SSO will not be possible
2020-04-21 17:23:01,093 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.authn.impl.InitializeRequestedPrincipalContext:152] -
Profile Action InitializeRequestedPrincipalContext: Profile configuration
did not supply any default authentication methods
2020-04-21 17:23:01,094 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.authn.impl.FilterFlowsByForcedAuthn:53] - Profile Action
FilterFlowsByForcedAuthn: Request does not have forced authentication
requirement, nothing to do
2020-04-21 17:23:01,094 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:53] - Profile
Action FilterFlowsByNonBrowserSupport: Request does not have non-browser
requirement, nothing to do
2020-04-21 17:23:01,094 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:264] - Profile
Action SelectAuthenticationFlow: No specific Principals requested
2020-04-21 17:23:01,095 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:309] - Profile
Action SelectAuthenticationFlow: No usable active results available,
selecting an inactive flow
2020-04-21 17:23:01,095 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:363] - Profile
Action SelectAuthenticationFlow: Selecting inactive authentication flow
authn/Password
2020-04-21 17:23:01,096 - 172.28.133.89 - DEBUG
[net.shibboleth.idp.authn.impl.ExtractUsernamePasswordFromBasicAuth:115] -
Profile Action ExtractUsernamePasswordFromBasicAuth: No appropriate
Authorization header found





--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html

More information about the users mailing list