Shibboleth v4.1.0 upgrade failure with DuoOIDC plugin for Universal Prompt support

Yang, Charles cyang at
Fri Jun 30 20:03:16 UTC 2023

      Shibboleth failed to boot. Jetty log presented this message.
WARN [org.eclipse.jetty.webapp.WebAppContext:533] - Failed startup of context o.e.j.w.WebAppContext at 305a0c5f{Shibboleth Identity Pr
ovider,/idp,[file:///opt/jetty/temp/jetty-127_0_0_1-8008-idp_war-_idp-any-11747669412705206324/webinf/, jar:file:///opt/shibboleth-idp/war/idp.war!/],UNAVAIL
org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'shibboleth.AvailableAuthenticationFlows' defined in null:
Could not resolve placeholder 'idp.authn.DuoOIDC.subjectDecorator' in value "#{getObject('%{idp.authn.DuoOIDC.subjectDecorator}'.trim())}"; nested exception
is java.lang.IllegalArgumentException: Could not resolve placeholder 'idp.authn.DuoOIDC.subjectDecorator' in value "#{getObject('%{idp.authn.DuoOIDC.subjectD

Caused by: java.lang.IllegalArgumentException: Could not resolve placeholder 'idp.authn.DuoOIDC.subjectDecorator' in value "#{getObject('%{idp.authn.DuoOIDC.subjectDecorator}'.trim())}"

System versioning history: v3.3.3 -> v3.4.7 -> v3.4.8 -> v4.0.1(starting version) -> v4.1.0

Plugin installed:
bin]# ./ -l
Plugin: net.shibboleth.oidc.common      Current Version: 1.1.0
Plugin: net.shibboleth.idp.plugin.authn.duo.nimbus      Current Version: 1.0.0

Module states:
bin]# ./ -l
Module: idp.oidc.common.1 [ENABLED]  <=== this is enabled after I installed it ..
Module: idp.authn.DuoOIDC [ENABLED]  <=== this is enabled after I installed it ..
Module: idp.authn.Duo [ENABLED]
Module: idp.authn.External [ENABLED]
Module: idp.authn.Function [ENABLED]
Module: idp.authn.IPAddress [ENABLED]
Module: idp.authn.MFA [ENABLED]
Module: idp.authn.Password [ENABLED]
Module: idp.authn.RemoteUser [ENABLED]
Module: idp.authn.RemoteUserInternal [ENABLED]
Module: idp.authn.SPNEGO [ENABLED]
Module: idp.authn.X509 [DISABLED]
Module: idp.authn.Demo [DISABLED]
Module: idp.admin.Hello [DISABLED]
Module: idp.admin.UnlockKeys [ENABLED]
Module: idp.intercept.Consent [ENABLED]
Module: idp.intercept.ContextCheck [ENABLED]
Module: idp.intercept.ExpiringPassword [ENABLED]
Module: idp.intercept.Impersonate [ENABLED]
Module: idp.intercept.Warning [DISABLED]
Module: idp.profile.CAS [ENABLED]

Jetty version: 9.4.35.v20201120

Java version:
jetty]# java -version
openjdk version "" 2022-02-08 LTS
OpenJDK Runtime Environment 18.9 (build
OpenJDK 64-Bit Server VM 18.9 (build, mixed mode, sharing)

Steps followed:

authn/DuoOIDC Flow Descriptor XML is added in conf/authn/general-authn.xml -->

Working workaround(which allows Jetty to boot properly and Shibboleth v4.1.0 working):

Manual removal of this line in "Flow Descriptor XML"

Other attempts:

I have tried performing this upgrade path: v4.0.1-> v4.1.0 -> v4.3.1.
with v4.3.1 in place, I add both "oidc.common" and "duo.nimbus" plugins to its latest release version.

I got the same result.


is this a known issue for an upgraded Shib system ?
Would the workaround post any issue with DuoOIDC functionalities ?
What am I missing from the upgrade process ? user error ?

Thank you for your time !

Chuck Yang

System Analyst, Infrastructure Services
Division of Information Technology

P: 657-278-5624
800 N. State College Blvd. Fullerton, CA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list