Shibboleth IDP v4.0 to v4.16 Upgrade - Broken AuthN Flow - Help Required

prasanna cg prasannacgin at
Wed Apr 6 20:30:52 UTC 2022

Thanks Scott. 

In my current state of v4.0.1 - I simply followed the integration steps documented in the below article (MFA Provider) -

Below is my directory listing of the current state - v4.0.1. I do not see any webflow XML definitions under "flows/authn/"

# ls -ltR /opt/shibboleth-idp-401-backup/flows/authn/

total 4
drwxr-x--- 5 root root 4096 Apr  6 15:22 conditions

total 16
drwxr-x--- 2 root root 4096 Apr  6 15:22 account-locked
-rwxr-x--- 1 root root 1605 Apr  6 15:22 conditions-flow.xml
drwxr-x--- 2 root root 4096 Apr  6 15:22 expired-password
drwxr-x--- 2 root root 4096 Apr  6 15:22 expiring-password

total 4
-rwxr-x--- 1 root root 618 Apr  6 15:22 account-locked-flow.xml

total 4
-rwxr-x--- 1 root root 618 Apr  6 15:22 expired-password-flow.xml

total 4
-rwxr-x--- 1 root root 2487 Apr  6 15:22 expiring-password-flow.xml

So, does it mean the configuration steps mentioned in that article was incorrect ? If yes, I’m wondering what should I be doing to get it working with 4.1.6 ?


> On Apr 6, 2022, at 4:05 PM, Cantor, Scott via users <users at> wrote:
> There are no modules in 4.0 and your custom login flow, which I'm not certain you should have even built, is not a module, so you don't have to enable it or try and make it something it isn't. It's just a custom webflow. Nothing was changed in 4.1 in that regard.
>> I get an error message in the “idp-process.log” as below
> Then your flow isn't in the proper place and you did something unsupported to begin with. Flows live in the flows directory in the the root of the IdP home folder. A flow called authn/CustomMfa just has to be in a file named flows/authn/CustomMfa-flow.xml to be auto-registered. That was true in 4.0 (and 3.0 for that matter).
> There are ways in 4.1+ to dynamically add them via Java jars so plugins can do that, but that's not necessary for deployers to just create flows.
> If it's not in that location now, it was never correct to start with, whether it worked or not. If it is, I don't think it's possible for that error to occur unless there's something else logged about why it isn't happy with it.
>>   Upon checking the “modules” enabled, I noticed that my custom module was not enabled. Trying to enable
>> it also returns the below error
> Which is expected, it's not a module. We made things into modules to manage the configuration. If you wanted to turn it into a module, you could, but that's not required and doesn't really buy you anything.
>>   Post upgrade, I see the custom authentication definition continues to have the bean definition entry in -
>> “authn/general-authn.xml”. But I dont see any entry added for it in “authn/” for it. 
> Those are installed files, they aren't modified by upgrades and they don't need to be. Defining settings for a flow in the XML file is fine. Doing it with properties instead would take more work and more understanding of Spring.
>>   Can someone provide pointers on what I am missing as part of the upgrade  and what is required to have my
>> authentication flow restored with 4.1.6 ?
> If I were to guess, I would say somebody probably decided to stick something into system/ or edit files in there to get a flow added and that is not allowed, it never was. And it's now impossible to do that and so it broke.
> -- Scott
> -- 
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-unsubscribe at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list