How to terminate MFA flow with an error?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

How to terminate MFA flow with an error?

Losen, Stephen C (scl)
Hi folks,

I am using Duo and the MFA flow. If a user has registered with Duo then we set a "duo-enabled" attribute for the user in LDAP. Sending a non-registered user to Duo is pointless, it cannot succeed.

We also have a grace period for new folks to register with Duo and we have a "duo-deadline" LDAP attribute (YYYY/MM/DD).

Our policy goes like this. If duo-enabled is true, then we invoke Duo, regardless of the relying party, or any other user attributes.

If duo-enabled is not true then we conditionally let authn succeed without Duo. The duo-deadline must not be passed and the "mfaCtx.isAcceptable()" test must be true (some SPs require Duo).  Otherwise, then what?

I have this logic coded in a MFA script, but I'm not sure what is the best way to handle the "error case" where the first factor (Password) alone is not sufficient, but the user is not registered with Duo.

I have a rather ugly solution where the script sets the next flow to "authn/error" (undefined flow) and that definitely stops MFA dead in its tracks.  However, the IDP itself does not display an error (which I could customize) and instead it responds to the SP with an error, so your browser shows a cryptic error from the SP.

In this error situation I would like to display a page with a link to our "Duo portal" app where you can sign up for Duo.

Any better suggestions for going about this?

Our Duo portal app is a Shib SP so I will need to tweak my MFA logic to allow single-factor access to this SP even after the duo-deadline has passed.

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
[hidden email]    434-924-0640


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to terminate MFA flow with an error?

Cantor, Scott E.
> I have this logic coded in a MFA script, but I'm not sure what is the best way to
> handle the "error case" where the first factor (Password) alone is not sufficient,
> but the user is not registered with Duo.

I guess that depends what you want it to do, but if you're asking a more scoped question (i.e. what the subject line explicitly says), it's documented, https://wiki.shibboleth.net/confluence/display/IDP30/AuthenticationConfiguration, CustomEvents

You can return any event you want, the rest is custom error handling. The only hassle is the bit about defining the event as a legal result of the authentication flow and that's the part it documents under that section.

> I have a rather ugly solution where the script sets the next flow to
> "authn/error" (undefined flow) and that definitely stops MFA dead in its tracks.
> However, the IDP itself does not display an error (which I could customize) and
> instead it responds to the SP with an error, so your browser shows a cryptic
> error from the SP.

There are people who believe that the IdP's job is to do what it's asked, and if it's asked for MFA and can't do so, the default behavior is to respond with a status saying so. That is what the standard more or less encourages so it's the default any time authentication fails and the IdP regains control.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to terminate MFA flow with an error?

Losen, Stephen C (scl)
Hi folks,

First I want to thank Scott for all his help. He is an indispensable resource.

Carefully rereading the wiki, I conclude that the MFA transition map (and my associated script) can ONLY return authn flow names (or null).  In particular, the transition map cannot cause the MFA flow to terminate with a specified event.

So I will pursue a different approach.  In my MFA transition script I will check for the "duo-enabled" attr and if true, then return "authn/Duo", otherwise null.

I will define a context check intercept to check the duo-deadline attribute, and if it has passed, display an error page with a link to our Duo signup app.

The IDP will automatically handle the case where the SP requires Duo and Duo was not used.

Efficiency concern: does the IDP run the attribute resolver multiple times or does it cache?  The IDP will reference attributes in at least three places: MFA transition, context check intercept, attribute filter.

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
[hidden email]    434-924-0640


-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Cantor, Scott
Sent: Thursday, May 17, 2018 6:44 PM
To: Shib Users <[hidden email]>
Subject: RE: How to terminate MFA flow with an error?

> I have this logic coded in a MFA script, but I'm not sure what is the best way to
> handle the "error case" where the first factor (Password) alone is not sufficient,
> but the user is not registered with Duo.

I guess that depends what you want it to do, but if you're asking a more scoped question (i.e. what the subject line explicitly says), it's documented, https://wiki.shibboleth.net/confluence/display/IDP30/AuthenticationConfiguration, CustomEvents

You can return any event you want, the rest is custom error handling. The only hassle is the bit about defining the event as a legal result of the authentication flow and that's the part it documents under that section.

> I have a rather ugly solution where the script sets the next flow to
> "authn/error" (undefined flow) and that definitely stops MFA dead in its tracks.
> However, the IDP itself does not display an error (which I could customize) and
> instead it responds to the SP with an error, so your browser shows a cryptic
> error from the SP.

There are people who believe that the IdP's job is to do what it's asked, and if it's asked for MFA and can't do so, the default behavior is to respond with a status saying so. That is what the standard more or less encourages so it's the default any time authentication fails and the IdP regains control.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to terminate MFA flow with an error?

Cantor, Scott E.
> Carefully rereading the wiki, I conclude that the MFA transition map (and my
> associated script) can ONLY return authn flow names (or null).  In particular,
> the transition map cannot cause the MFA flow to terminate with a specified
> event.

No, that's not the case (or isn't meant to be). It can signal any event. It detects events that start with "authn/" to treat them in a different way (yes, it's hacky) but the overall mechanism can handle anything.

> Efficiency concern: does the IDP run the attribute resolver multiple times or
> does it cache?  The IDP will reference attributes in at least three places: MFA
> transition, context check intercept, attribute filter.

Caching has to be configured by you. If it's not told to cache, it won't.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to terminate MFA flow with an error?

Losen, Stephen C (scl)
Thanks, Scott.

So the MFA transition map should return the string "authn/MyEvent"? And in conf/authn/authn-events-flow.xml should I have "authn/MyEvent" or just "MyEvent" ?  Same for conf/errors.xml ?

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
[hidden email]    434-924-0640


-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Cantor, Scott
Sent: Friday, May 18, 2018 9:54 AM
To: Shib Users <[hidden email]>
Subject: RE: How to terminate MFA flow with an error?

> Carefully rereading the wiki, I conclude that the MFA transition map (and my
> associated script) can ONLY return authn flow names (or null).  In particular,
> the transition map cannot cause the MFA flow to terminate with a specified
> event.

No, that's not the case (or isn't meant to be). It can signal any event. It detects events that start with "authn/" to treat them in a different way (yes, it's hacky) but the overall mechanism can handle anything.

> Efficiency concern: does the IDP run the attribute resolver multiple times or
> does it cache?  The IDP will reference attributes in at least three places: MFA
> transition, context check intercept, attribute filter.

Caching has to be configured by you. If it's not told to cache, it won't.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to terminate MFA flow with an error?

Cantor, Scott E.
> So the MFA transition map should return the string "authn/MyEvent"? And in
> conf/authn/authn-events-flow.xml should I have "authn/MyEvent" or just
> "MyEvent" ?  Same for conf/errors.xml ?

"MyEvent". "authn/Whatever" is an actual event name, it just happens to use a convention to recognize that it's a flow ID and there are special rules in the flows for doing things in response to those strings:

        <transition on="#{currentEvent.id.startsWith('authn/')}" to="ReselectFlow">

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to terminate MFA flow with an error?

Losen, Stephen C (scl)
Thanks again, Scott.

I was confused because the IDP redirected me back to the SP.  I mistakenly thought that defining the event in authn-events-flow.xml was enough to prevent that.  But now I see that behavior is controlled in errors.xml in "shibboleth.LocalEventMap".

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
[hidden email]    434-924-0640


-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Cantor, Scott
Sent: Friday, May 18, 2018 11:00 AM
To: Shib Users <[hidden email]>
Subject: RE: How to terminate MFA flow with an error?

> So the MFA transition map should return the string "authn/MyEvent"? And in
> conf/authn/authn-events-flow.xml should I have "authn/MyEvent" or just
> "MyEvent" ?  Same for conf/errors.xml ?

"MyEvent". "authn/Whatever" is an actual event name, it just happens to use a convention to recognize that it's a flow ID and there are special rules in the flows for doing things in response to those strings:

        <transition on="#{currentEvent.id.startsWith('authn/')}" to="ReselectFlow">

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to terminate MFA flow with an error?

Losen, Stephen C (scl)
Following up my previous email, I tried returning "DuoSignup" from the MFA transition map and the IDP apparently insists on it being a flow name.  The IDP displayed this error on my browser:

Uncaught Exception

A software error was encountered that prevents normal operation:

org.springframework.webflow.definition.registry.NoSuchFlowDefinitionException: No flow definition 'DuoSignup' found


And this was in idp-process.log:

2018-05-18 11:55:23,123 137.54.130.16 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
org.springframework.webflow.definition.registry.NoSuchFlowDefinitionException: No flow definition 'DuoSignup' found
        at org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl.getFlowDefinitionHolder(FlowDefinitionRegistryImpl.java:123)
2018-05-18 11:55:23,133 137.54.130.16 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: RuntimeException

I did define "DuoSignup" in conf/authn/authn-events-flow.xml

Looks like I need to use a context check intercept.

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
[hidden email]    434-924-0640


-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Losen, Stephen C. (scl)
Sent: Friday, May 18, 2018 11:50 AM
To: Shib Users <[hidden email]>
Subject: RE: How to terminate MFA flow with an error?

Thanks again, Scott.

I was confused because the IDP redirected me back to the SP.  I mistakenly thought that defining the event in authn-events-flow.xml was enough to prevent that.  But now I see that behavior is controlled in errors.xml in "shibboleth.LocalEventMap".

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
[hidden email]    434-924-0640


-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Cantor, Scott
Sent: Friday, May 18, 2018 11:00 AM
To: Shib Users <[hidden email]>
Subject: RE: How to terminate MFA flow with an error?

> So the MFA transition map should return the string "authn/MyEvent"? And in
> conf/authn/authn-events-flow.xml should I have "authn/MyEvent" or just
> "MyEvent" ?  Same for conf/errors.xml ?

"MyEvent". "authn/Whatever" is an actual event name, it just happens to use a convention to recognize that it's a flow ID and there are special rules in the flows for doing things in response to those strings:

        <transition on="#{currentEvent.id.startsWith('authn/')}" to="ReselectFlow">

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to terminate MFA flow with an error?

Cantor, Scott E.
> Following up my previous email, I tried returning "DuoSignup" from the MFA
> transition map and the IDP apparently insists on it being a flow name.

If you want me to dig into it, get Jim to get you into the access table for UV so I can give you access to JIRA, but my guess is the transition logic in the MFA code must be assuming they're flows, so the work around is probably to do a one-off flow that just signals the custom event as its result.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to terminate MFA flow with an error?

Cantor, Scott E.
I spotted it, the way it's meant to be done is you signal "null" but set the Event property in the MultiFactorAuthenticationContext object in the tree and it will use that Event as the outcome.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to terminate MFA flow with an error?

O'Dowd, Josh

>I spotted it, the way it's meant to be done is you signal "null" but set the Event property in the MultiFactorAuthenticationContext object in the tree and it will use that Event as the outcome.

> -- Scott

Yes.  BWO example, we use the following transition for Duo cancellations and then script adding a friendly/targeted error event that lands the user on an "error page" with appropriate messaging:

In conf/authn/mfa-confilg.xml:
        <entry key="authn/Duo">
                <bean parent="shibboleth.authn.MFA.Transition">
                        <property name="nextFlowStrategyMap">
                                <map>
                                        <entry key="ReselectFlow" value-ref="duo-cancelled"/>
                                </map>
                        </property>
                </bean>
        </entry>

... the value-ref fires the "duo-cancelled" script:
    <bean id="duo-cancelled" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript">
                <constructor-arg>
                        <value>
                    <![CDATA[
                                ... scripting for setting the Event property in MFAC
                                null;
                    ]]>
                    </value>
                </constructor-arg>
    </bean>

...  MFA sends the event out to IdP's native error handler mechanisms.

-Josh
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to terminate MFA flow with an error?

Losen, Stephen C (scl)
In reply to this post by Cantor, Scott E.
Thank you very much Scott,

This worked:

event = "DuoSignup";
nextFlow = null;

...

mfaCtx.setEvent(event);
nextFlow;

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
[hidden email]    434-924-0640


-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Cantor, Scott
Sent: Friday, May 18, 2018 12:31 PM
To: Shib Users <[hidden email]>
Subject: RE: How to terminate MFA flow with an error?

I spotted it, the way it's meant to be done is you signal "null" but set the Event property in the MultiFactorAuthenticationContext object in the tree and it will use that Event as the outcome.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]