Shibboleth IDP v4.0 to v4.16 Upgrade - Broken AuthN Flow - Help Required

prasanna cg prasannacgin at yahoo.in
Wed Apr 6 19:25:55 UTC 2022 

Hello,

Reaching out for help.

As a fix for the ‘Spring4Shell’ vulnerability, I am working on an emergency upgrade of our Shibboleth IDP v4.0.1 to v4.1.6. I am doing a quick POC of the upgrade to document the steps. In my POC, I noticed that a custom authentication definition/flow  that we were using before the upgrade is broken post upgrade and it no longer works. I get an error message in the “idp-process.log” as below

2022-04-06 17:57:24,989 - 172.19.38.154 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
org.springframework.webflow.definition.registry.NoSuchFlowDefinitionException: No flow definition 'authn/CustomMfa' found
	at org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl.getFlowDefinitionHolder(FlowDefinitionRegistryImpl.java:123)
2022-04-06 17:57:25,003 - 172.19.38.154 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: RuntimeException

Upon checking the “modules” enabled, I noticed that my custom module was not enabled. Trying to enable it also returns the below error

# ./module.sh -e idp.authn.CustomMfa
WARN  - Unable to find property resource 'class path resource [../conf/authn/duo.properties]' (check idp.additionalProperties?)
Unknown modules: [idp.authn.CustomMfa]

My CustomMFA definition gets invoked from the MFA Authentication definition with - “mfa-authn-config.xml” having a Java script for conditional invocation based on a user’s AD attribute. 

Post upgrade, I see the custom authentication definition continues to have the bean definition entry in - “authn/general-authn.xml”. But I dont see any entry added for it in “authn/authn.properties” for it. 

Can someone provide pointers on what I am missing as part of the upgrade  and what is required to have my authentication flow restored with 4.1.6 ?


Thanks,
Prasanna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220406/39ead8e9/attachment.htm>

More information about the users mailing list