InvalidEvent error occurred in MFF Flow

Noriyuki TAKEI ntakei at
Fri Aug 28 13:21:38 UTC 2020


When I use nextFlowStrategyMap in MFA Flow, InvalidEvent occurred.

I'll describe the details.

The error occurs in the flow as described below.

1. A user accesses the target SP.
2. MFA Script(described at the end of this email) checks the user's source
IP Address includes internalip list.
3. If  the user's source IP Address includes internalip list and target SP
requires MFA, the user is required to select the authentication
method(tiqrshib or checkTotpFactor).
4. If the user selects checkTotpFactor and TOTP Authentication is allowed
to be omitted, the error(InvalidEvent) occurs.I found the log as described
below.This error occurred at the if-clause which includes the comment "In
this if-cluase, the error(InvalidEvent) occurred" in MFA Script at the end
of this email.
WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event
occurred while processing the request: InvalidEvent

I understand that Returning null in MFA Flow ends the MFA process.
However, InvalidEvent error occurred in the MFA Flow as described below.

I'd like to know the solution.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns=""


    <util:map id="shibboleth.authn.MFA.TransitionMap">
        <entry key="">
            <bean parent="shibboleth.authn.MFA.Transition"
p:nextFlow="authn/Password" />

        <entry key="authn/Password">
            <bean parent="shibboleth.authn.MFA.Transition"
p:nextFlowStrategy-ref="checkSecondFactor" />

        <entry key="custom/methodChooser">
            <bean parent="shibboleth.authn.MFA.Transition">
                <property name="nextFlowStrategyMap">
                        <entry key="Choosetiqrshib" value="authn/tiqrshib"
                        <entry key="ChooseSiosTotp"
value-ref="checkTotpFactor" />


    <bean id="checkSecondFactor"
parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
                logger =

                // define IP Address which alllows users to access SP
withuot MFA
                internalIp = ["XXX.XXX.XXX.XXX","YYY.YYY.YYY.YYY"]

                // define SPs(Entity ID) which require MFA
                var mfaList = [

                // get the source IP Address and the target SP's Entity ID
                accessIp = custom.remoteAddr;
                rpid =

       '[MFA] SP: '+ rpid );
       '[MFA] clientIP: ' + custom.remoteAddr );

                // compare source IP Address with internal IP Addresses as
defined above
                matchIp = false;
                for (var i = 0, len = internalIp.length; i< len; ++i) {
                    if (accessIp.startsWith(internalIp[i])){
                            matchIp = true;

                // compare the target SP's Entity ID with SPs' Entity ID
List which require MFA as defined above
                matchSp = false;
                for (var i = 0, len = mfaList.length; i< len; ++i) {
                    if (rpid == mfaList[i]){
                    matchSp = true;

                // If the target SP require MFA and the target SP's IP
Address does not include Internal IP,
                // methodChooser is displayed.
                if(matchSp == true && matchIp == false){
                        nextFlow = "custom/methodChooser";
               '[MFA] NextFlow: ' + nextFlow );
                    nextFlow = null;
           '[MFA] NextFlow: ' + 'none' );

                nextFlow; // pass control to second factor or end with the

    <bean id="checkTotpFactor"
parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
                nextFlow = null;
                logger =

                // get login username
                usernameLookupStrategyClass =
                usernameLookupStrategy = new usernameLookupStrategyClass();
                username = usernameLookupStrategy.apply(input);

                // I developed the module which can omit TOTP
Authentication for a certain period of time.
                // check if TOTP Authentication is allowed to be omitted or
not in the code as below
                checker = custom.get("totpAuthnSessionChecker");
                result = checker.isValidTotpAuthnSession(username);

                if (result) {
                    // return null If TOTP Authentication is allowed to be
                    // In this if-cluase, the error(InvalidEvent) occurred
                    nextFlow = null;
                } else {
                    // return next flow(TOTP) If TOTP Authentication is not
allowed to be omitted
                    nextFlow = "authn/Totp";

    <bean id="TotpAuthnSessionChecker"
        p:httpServletRequest-ref="shibboleth.HttpServletRequest" />
    <util:map id="secondFactorHelpersMap">
        <entry key="attributeResolver"
value-ref="shibboleth.AttributeResolverService" />
        <entry key="totpAuthnSessionChecker"
value-ref="TotpAuthnSessionChecker" />

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list