Error with forceAuthn option

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Error with forceAuthn option

jsante
I'm consistently getting errors when attempting to use the forceAuthn option to force re-authentication.  Whether I set it through the query string (https://spaces.internet2.edu/display/SHIB2/NativeSPSessionCreationParameters) or through a SessionInitiator (https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator), I get the following error in the browser:

opensaml::FatalProfileException at (https://(hostname)/Shibboleth.sso/SAML2/POST)

SAML response contained an error.

Error from identity provider:

    Status: urn:oasis:names:tc:SAML:2.0:status:Responder
    Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

I was unable to find any other relevant error in the IdP and SP logs.

Sequence of events:

1. Try to access protected resource.
2. Redirected to shib login: https://(hostname)/Shibboleth.sso/Login?acsIndex=1&target=https://(hostname)/shib/index.php
3. Authenticated normally, redirected back to my application.
4. I now wish to force re-authentication, so I go to the following URL: https://(hostname)/Shibboleth.sso/Login?acsIndex=1&target=https://(hostname)/shib/index.php&forceAuthn=true
...which results in the above error.

If I strip off the &forceAuthn=true, I remain authenticated and am
redirected back to the target normally.

The shibd logs indicate that the only difference in the AuthnRequest
between a working and non-working state is the existence of ForceAuthn="1":

With forceAuthn: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="1" Destination="https://shibboleth2.uchicago.edu/idp/profile/SAML2/Redirect/SSO" ForceAuthn="1" ID="_563527f6394bf11d21176bb7e33b7bbf" IssueInstant="2009-05-15T16:13:32Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://(hostname)/shib</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>

Without: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="1" Destination="https://shibboleth2.uchicago.edu/idp/profile/SAML2/Redirect/SSO" ID="_35093e02fdadfa61abb75db8c0158813" IssueInstant="2009-05-15T16:20:13Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://(hostname)/shib</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>

Does anyone know what might be causing this error to appear?  Is anyone else using this option successfully?  We've tried every configuration option we could think of, but if ForceAuthn="1" ever ends up in the AuthnRequest, we get the error.

Environment:

SP: 2.2, r2986
IdP: 2.1

I have shibd logs for both the working and non-working case, and can post them if it would be helpful.

Thank you for your attention.

 - Justin
Reply | Threaded
Open this post in threaded view
|

RE: Error with forceAuthn option

Cantor, Scott E.
> Does anyone know what might be causing this error to appear?

Are you using a login handler at the IdP that supports forced authentication
and is it configured to recognize that?

> I have shibd logs for both the working and non-working case, and can post
> them if it would be helpful.

The SP has nothing to do with it. It's just reporting the result the IdP
returns.

(Using any of the advanced options pretty much demands using
redirection-based error handling or you'll just get useless error pages and
confused users.)

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: Error with forceAuthn option

jsante
Scott,

Thank you for your suggestion, it turns out that the login handler we're using, Pubcookie, doesn't support forced authentication.  We're holding off on this feature until we can get a new login handler installed.

Thanks again,

 - Justin.

Scott Cantor wrote:
Does anyone know what might be causing this error to appear?
    

Are you using a login handler at the IdP that supports forced authentication
and is it configured to recognize that?

  
I have shibd logs for both the working and non-working case, and can post
them if it would be helpful.
    

The SP has nothing to do with it. It's just reporting the result the IdP
returns.

(Using any of the advanced options pretty much demands using
redirection-based error handling or you'll just get useless error pages and
confused users.)

-- Scott


  

Reply | Threaded
Open this post in threaded view
|

Re: Error with forceAuthn option

Jim Fox

Pubcookie does support forced reauth. It's the default remote-user
login handler that doesn't. If you're interested I have a login
handler that supports forced reauth and works with pubcookie.

Jim


On Thu, 21 May 2009, Justin Sante wrote:

> Date: Thu, 21 May 2009 09:18:13 -0700
> From: Justin Sante <[hidden email]>
> To: "[hidden email]" <[hidden email]>
> Reply-To: "[hidden email]" <[hidden email]>
> Subject: Re: [Shib-Users] Error with forceAuthn option
>
> Scott,
>
> Thank you for your suggestion, it turns out that the login handler we're using, Pubcookie, doesn't support forced
> authentication.  We're holding off on this feature until we can get a new login handler installed.
>
> Thanks again,
>
>  - Justin.
>
> Scott Cantor wrote:
>
> Does anyone know what might be causing this error to appear?
>
>
> Are you using a login handler at the IdP that supports forced authentication
> and is it configured to recognize that?
>
>
>
> I have shibd logs for both the working and non-working case, and can post
> them if it would be helpful.
>
>
> The SP has nothing to do with it. It's just reporting the result the IdP
> returns.
>
> (Using any of the advanced options pretty much demands using
> redirection-based error handling or you'll just get useless error pages and
> confused users.)
>
> -- Scott
>
>
>
>
>
>
>