MFA Error

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

MFA Error

Noriyuki TAKEI
Hi,all

I'm using MultiFactorAuthnConfiguration in Shibboleth 3.3.2.

But error as below occurred when accessing the sp.

<saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/>
    </saml2p:StatusCode>
    <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
</saml2p:Status>

Does someone may give a hint?




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: MFA Error

Nate Klingenstein-2
Noriyuki,

The login process didn't result in a principal that could satisfy the AuthnRequest.  Without a successfully authenticated user, the IdP has to return an error to the SP.

You want to compare the AuthnContext requested in the AuthnRequest, SP metadata, and relying party configuration to the AuthnContexts that resulted from the MFA process.  There might have been no result from authentication at all, or the resulting principal types might not match, so they can't be used.

There will be something helpful in the logs.

I hope this helps,
Nate.

On Mon, May 14, 2018 at 4:18 PM, Noriyuki TAKEI <[hidden email]> wrote:
Hi,all

I'm using MultiFactorAuthnConfiguration in Shibboleth 3.3.2.

But error as below occurred when accessing the sp.

<saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/>
    </saml2p:StatusCode>
    <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage>
</saml2p:Status>

Does someone may give a hint?




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: MFA Error

Cantor, Scott E.
> You want to compare the AuthnContext requested in the AuthnRequest, SP
> metadata, and relying party configuration to the AuthnContexts that resulted
> from the MFA process.

There's nothing in metadata, FWIW, no such extension has ever been defined. The request would also supersede anything in the configuration.

So it's really not too complex, either you wired it to do something it can't handle (unlikely) or the SP requested something it can't handle (much more likely).

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: MFA Error

Noriyuki TAKEI
Hi,all

Thanks to your advice,I could solve this!!

2018年5月15日(火) 9:18 Cantor, Scott <[hidden email]>:
> You want to compare the AuthnContext requested in the AuthnRequest, SP
> metadata, and relying party configuration to the AuthnContexts that resulted
> from the MFA process.

There's nothing in metadata, FWIW, no such extension has ever been defined. The request would also supersede anything in the configuration.

So it's really not too complex, either you wired it to do something it can't handle (unlikely) or the SP requested something it can't handle (much more likely).

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
・‥…━━━━━━━━━━━━━━━━━━━━━━━…‥
 サイオステクノロジー株式会社
  技術部
  クラウドソリューショングループ
  武井 宜行
  〒106-0047  東京都港区南麻布二丁目 12 番 3 号 サイオスビル
  TEL:070-6569-1211 (直通) 03-6401-5117 (部代表)
  URL:http://www.sios.com/

 ■SIOSの最新情報はこちらから!「いいね!」をお待ちしています■
 (SIOS Technology):http://www.facebook.com/SIOSTechnology
 (OSSよろず相談室):http://www.facebook.com/OSSyorozu

 ■Twitter公式アカウント■
 https://twitter.com/#!/SIOS_Technology
・‥…━━━━━━━━━━━━━━━━━━━━━━━…‥

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]