Shibboleth IDP v4.0 to v4.16 Upgrade - Broken AuthN Flow - Help Required

Cantor, Scott cantor.2 at osu.edu
Wed Apr 6 20:05:29 UTC 2022 

There are no modules in 4.0 and your custom login flow, which I'm not certain you should have even built, is not a module, so you don't have to enable it or try and make it something it isn't. It's just a custom webflow. Nothing was changed in 4.1 in that regard.

> I get an error message in the “idp-process.log” as below

Then your flow isn't in the proper place and you did something unsupported to begin with. Flows live in the flows directory in the the root of the IdP home folder. A flow called authn/CustomMfa just has to be in a file named flows/authn/CustomMfa-flow.xml to be auto-registered. That was true in 4.0 (and 3.0 for that matter).

There are ways in 4.1+ to dynamically add them via Java jars so plugins can do that, but that's not necessary for deployers to just create flows.

If it's not in that location now, it was never correct to start with, whether it worked or not. If it is, I don't think it's possible for that error to occur unless there's something else logged about why it isn't happy with it.

>    Upon checking the “modules” enabled, I noticed that my custom module was not enabled. Trying to enable
> it also returns the below error

Which is expected, it's not a module. We made things into modules to manage the configuration. If you wanted to turn it into a module, you could, but that's not required and doesn't really buy you anything.

>    Post upgrade, I see the custom authentication definition continues to have the bean definition entry in -
> “authn/general-authn.xml”. But I dont see any entry added for it in “authn/authn.properties” for it. 

Those are installed files, they aren't modified by upgrades and they don't need to be. Defining settings for a flow in the XML file is fine. Doing it with properties instead would take more work and more understanding of Spring.

>    Can someone provide pointers on what I am missing as part of the upgrade  and what is required to have my
> authentication flow restored with 4.1.6 ?

If I were to guess, I would say somebody probably decided to stick something into system/ or edit files in there to get a flow added and that is not allowed, it never was. And it's now impossible to do that and so it broke.

-- Scott

More information about the users mailing list