Shibboleth IDP v4.0 to v4.16 Upgrade - Broken AuthN Flow - Help Required

prasanna cg prasannacgin at
Wed Apr 6 19:25:55 UTC 2022


Reaching out for help.

As a fix for the ‘Spring4Shell’ vulnerability, I am working on an emergency upgrade of our Shibboleth IDP v4.0.1 to v4.1.6. I am doing a quick POC of the upgrade to document the steps. In my POC, I noticed that a custom authentication definition/flow  that we were using before the upgrade is broken post upgrade and it no longer works. I get an error message in the “idp-process.log” as below

2022-04-06 17:57:24,989 - - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
org.springframework.webflow.definition.registry.NoSuchFlowDefinitionException: No flow definition 'authn/CustomMfa' found
	at org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl.getFlowDefinitionHolder(
2022-04-06 17:57:25,003 - - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: RuntimeException

Upon checking the “modules” enabled, I noticed that my custom module was not enabled. Trying to enable it also returns the below error

# ./ -e idp.authn.CustomMfa
WARN  - Unable to find property resource 'class path resource [../conf/authn/]' (check idp.additionalProperties?)
Unknown modules: [idp.authn.CustomMfa]

My CustomMFA definition gets invoked from the MFA Authentication definition with - “mfa-authn-config.xml” having a Java script for conditional invocation based on a user’s AD attribute. 

Post upgrade, I see the custom authentication definition continues to have the bean definition entry in - “authn/general-authn.xml”. But I dont see any entry added for it in “authn/” for it. 

Can someone provide pointers on what I am missing as part of the upgrade  and what is required to have my authentication flow restored with 4.1.6 ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list