[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: MCB in IdP v3 (3.2.0)
From: Pradeep Jamble <pjamble () gmail ! com>
Date: 2016-04-28 18:58:13
Message-ID: CANBbAosw+pdmW9y5=zv1dEpUJEL_Lf-qYDPueu2WhBf9EKRu4A () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello,
I'm trying to setup MCB in v3 as documented on the wiki below but I'm
running into an issue.
https://wiki.shibboleth.net/confluence/pages/viewpage.action?pageId=20807829
Here's what I've configured based on the wiki:
Step 1 & 2: As in the wiki, no changes
Step 3: Defined in general-authn.xml instead of global.xml (based on
another thread in the user community related to MCB)
Step 4, 5, 6 & 7: As in the wiki, no changes except for the attribute used
to read the authn context.
Step 8: Ignored, since we don't need it in our case
I get past the login page and then it errors at the SP end. Form the debug
logs, I see it's trying to compare the context with Password & Duo flows
but it can't find a matching context. Here's a snippet:
2016-04-28 03:30:39,023 - DEBUG
[net.shibboleth.idp.authn.impl.FilterFlowsByAttribute:212] - Profile Action
FilterFlowsByAttribute: Looking for match for flow authn/Duo against values
for attribute info
2016-04-28 03:30:39,024 - DEBUG
[net.shibboleth.idp.authn.impl.FilterFlowsByAttribute:215] - Profile Action
FilterFlowsByAttribute: Comparing principal http://www.duosecurity.com/
against attribute values [StringAttributeValue{value=http://uchicago.edu/duo
}]
2016-04-28 03:30:39,024 - DEBUG
[net.shibboleth.idp.authn.impl.FilterFlowsByAttribute:215] - Profile Action
FilterFlowsByAttribute: Comparing principal
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport against
attribute values [StringAttributeValue{value=http://uchicago.edu/duo}]
2016-04-28 03:30:39,025 - DEBUG
[net.shibboleth.idp.authn.impl.FilterFlowsByAttribute:215] - Profile Action
FilterFlowsByAttribute: Comparing principal http://www.duosecurity.com/
against attribute values [StringAttributeValue{value=http://uchicago.edu/duo
}]
2016-04-28 03:30:39,025 - DEBUG
[net.shibboleth.idp.authn.impl.FilterFlowsByAttribute:164] - Profile Action
FilterFlowsByAttribute: Removing flow authn/Duo, Principals did not match
any attribute values
Looks like it's using the context defined in the unicon plugin rather than
the configured one.
Here's the error message towards the end:
2016-04-28 03:30:39,040 - ERROR
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:296] - Profile
Action SelectAuthenticationFlow: No potential flows left to choose from,
authentication will fail
2016-04-28 03:30:39,054 - WARN
[org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred
while processing the request: NoPotentialFlow
Appreciate any help or guidance to get this working.
Regards,
Pradeep
[Attachment #5 (text/html)]
<div dir="ltr"><div><div><div>Hello,<br><br></div>I'm trying to setup MCB in v3 \
as documented on the wiki below but I'm running into an issue.<br><a \
href="https://wiki.shibboleth.net/confluence/pages/viewpage.action?pageId=20807829">ht \
tps://wiki.shibboleth.net/confluence/pages/viewpage.action?pageId=20807829</a><br><br></div><div>Here's \
what I've configured based on the wiki:<br><br></div><div>Step 1 & 2: As in \
the wiki, no changes<br></div><div>Step 3: Defined in general-authn.xml instead of \
global.xml (based on another thread in the user community related to \
MCB)<br></div><div>Step 4, 5, 6 & 7: As in the wiki, no changes except for the \
attribute used to read the authn context.<br></div><div>Step 8: Ignored, since we \
don't need it in our case<br></div><div><br></div><div>I get past the login page \
and then it errors at the SP end. Form the debug logs, I see it's trying to \
compare the context with Password & Duo flows but it can't find a matching \
context. Here's a snippet:<br><br>2016-04-28 03:30:39,023 - DEBUG \
[net.shibboleth.idp.authn.impl.FilterFlowsByAttribute:212] - Profile Action \
FilterFlowsByAttribute: Looking for match for flow authn/Duo against values for \
attribute info<br>2016-04-28 03:30:39,024 - DEBUG \
[net.shibboleth.idp.authn.impl.FilterFlowsByAttribute:215] - Profile Action \
FilterFlowsByAttribute: Comparing principal <a \
href="http://www.duosecurity.com/">http://www.duosecurity.com/</a> against attribute \
values [StringAttributeValue{value=<a \
href="http://uchicago.edu/duo">http://uchicago.edu/duo</a>}]<br>2016-04-28 \
03:30:39,024 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByAttribute:215] - \
Profile Action FilterFlowsByAttribute: Comparing principal \
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport against attribute \
values [StringAttributeValue{value=<a \
href="http://uchicago.edu/duo">http://uchicago.edu/duo</a>}]<br>2016-04-28 \
03:30:39,025 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByAttribute:215] - \
Profile Action FilterFlowsByAttribute: Comparing principal <a \
href="http://www.duosecurity.com/">http://www.duosecurity.com/</a> against attribute \
values [StringAttributeValue{value=<a \
href="http://uchicago.edu/duo">http://uchicago.edu/duo</a>}]<br>2016-04-28 \
03:30:39,025 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByAttribute:164] - \
Profile Action FilterFlowsByAttribute: Removing flow authn/Duo, Principals did not \
match any attribute values<br><br></div><div>Looks like it's using the context \
defined in the unicon plugin rather than the configured one.<br></div><div>Here's \
the error message towards the end:<br><br>2016-04-28 03:30:39,040 - ERROR \
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:296] - Profile Action \
SelectAuthenticationFlow: No potential flows left to choose from, authentication will \
fail<br>2016-04-28 03:30:39,054 - WARN [org.opensaml.profile.action.impl.LogEvent:76] \
- An error event occurred while processing the request: \
NoPotentialFlow<br></div><div><br></div><div>Appreciate any help or guidance to get \
this working.<br><br></div>Regards,<br></div>Pradeep<br></div>
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic