InvalidEvent error occurred in MFF Flow
Noriyuki TAKEI
ntakei at sios.com
Fri Aug 28 13:21:38 UTC 2020
Hi,all
When I use nextFlowStrategyMap in MFA Flow, InvalidEvent occurred.
I'll describe the details.
The error occurs in the flow as described below.
1. A user accesses the target SP.
2. MFA Script(described at the end of this email) checks the user's source
IP Address includes internalip list.
3. If the user's source IP Address includes internalip list and target SP
requires MFA, the user is required to select the authentication
method(tiqrshib or checkTotpFactor).
4. If the user selects checkTotpFactor and TOTP Authentication is allowed
to be omitted, the error(InvalidEvent) occurs.I found the log as described
below.This error occurred at the if-clause which includes the comment "In
this if-cluase, the error(InvalidEvent) occurred" in MFA Script at the end
of this email.
WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event
occurred while processing the request: InvalidEvent
I understand that Returning null in MFA Flow ends the MFA process.
However, InvalidEvent error occurred in the MFA Flow as described below.
I'd like to know the solution.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<util:map id="shibboleth.authn.MFA.TransitionMap">
<entry key="">
<bean parent="shibboleth.authn.MFA.Transition"
p:nextFlow="authn/Password" />
</entry>
<entry key="authn/Password">
<bean parent="shibboleth.authn.MFA.Transition"
p:nextFlowStrategy-ref="checkSecondFactor" />
</entry>
<entry key="custom/methodChooser">
<bean parent="shibboleth.authn.MFA.Transition">
<property name="nextFlowStrategyMap">
<map>
<entry key="Choosetiqrshib" value="authn/tiqrshib"
/>
<entry key="ChooseSiosTotp"
value-ref="checkTotpFactor" />
</map>
</property>
</bean>
</entry>
</util:map>
<bean id="checkSecondFactor"
parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
p:customObject-ref="shibboleth.HttpServletRequest">
<constructor-arg>
<value>
<![CDATA[
logger =
Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute");
// define IP Address which alllows users to access SP
withuot MFA
internalIp = ["XXX.XXX.XXX.XXX","YYY.YYY.YYY.YYY"]
// define SPs(Entity ID) which require MFA
var mfaList = [
"https://sp1.example.org/shibboleth",
"https://sp2.example.org/shibboleth"
];
// get the source IP Address and the target SP's Entity ID
accessIp = custom.remoteAddr;
rpid =
input.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext").relyingPartyId;
logger.info( '[MFA] SP: '+ rpid );
logger.info( '[MFA] clientIP: ' + custom.remoteAddr );
// compare source IP Address with internal IP Addresses as
defined above
matchIp = false;
for (var i = 0, len = internalIp.length; i< len; ++i) {
if (accessIp.startsWith(internalIp[i])){
matchIp = true;
}
}
// compare the target SP's Entity ID with SPs' Entity ID
List which require MFA as defined above
matchSp = false;
for (var i = 0, len = mfaList.length; i< len; ++i) {
if (rpid == mfaList[i]){
matchSp = true;
}
}
// If the target SP require MFA and the target SP's IP
Address does not include Internal IP,
// methodChooser is displayed.
if(matchSp == true && matchIp == false){
nextFlow = "custom/methodChooser";
logger.info( '[MFA] NextFlow: ' + nextFlow );
}else{
nextFlow = null;
logger.info( '[MFA] NextFlow: ' + 'none' );
}
nextFlow; // pass control to second factor or end with the
first
]]>
</value>
</constructor-arg>
</bean>
<bean id="checkTotpFactor"
parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
p:customObject-ref="secondFactorHelpersMap">
<constructor-arg>
<value>
<![CDATA[
nextFlow = null;
logger =
Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.authn.impl.TransitionMultiFactorAuthentication");
// get login username
usernameLookupStrategyClass =
Java.type("net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy");
usernameLookupStrategy = new usernameLookupStrategyClass();
username = usernameLookupStrategy.apply(input);
// I developed the module which can omit TOTP
Authentication for a certain period of time.
// check if TOTP Authentication is allowed to be omitted or
not in the code as below
checker = custom.get("totpAuthnSessionChecker");
result = checker.isValidTotpAuthnSession(username);
if (result) {
// return null If TOTP Authentication is allowed to be
omitted
// In this if-cluase, the error(InvalidEvent) occurred
nextFlow = null;
} else {
// return next flow(TOTP) If TOTP Authentication is not
allowed to be omitted
nextFlow = "authn/Totp";
}
nextFlow;
]]>
</value>
</constructor-arg>
</bean>
<bean id="TotpAuthnSessionChecker"
class="com.sios.idp.shibboleth.common.TotpAuthnSessionChecker"
scope="prototype"
p:httpServletRequest-ref="shibboleth.HttpServletRequest" />
<util:map id="secondFactorHelpersMap">
<entry key="attributeResolver"
value-ref="shibboleth.AttributeResolverService" />
<entry key="totpAuthnSessionChecker"
value-ref="TotpAuthnSessionChecker" />
</util:map>
</beans>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200828/079b178d/attachment.htm>
More information about the users
mailing list