Shibboleth 3.3.3 and Duo MFA Issue

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth 3.3.3 and Duo MFA Issue

Alexandre Adao
I am running Shibboleth Idp version 3.3.3. I am trying configure Shibboleth with Duo MFA. I followed the instructions from both sources:
and 

The idp-process.log shows that I am having problems as follows:

WARN [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:198] - Profile Action PopulateAuthenticationContext: No authentication flows are active for this request

INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:294] - Profile Action SelectAuthenticationFlow: No potential flows left to choose from, authentication failed

Any help, it will be very appreciated.

Thanks,

--Alex 




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth 3.3.3 and Duo MFA Issue

Cantor, Scott E.
> I am running Shibboleth Idp version 3.3.3. I am trying configure Shibboleth
> with Duo MFA. I followed the instructions from both sources:
> https://mimoto.co.uk/shibboleth-idp/duo/mfa/2017/06/01/duo-mfa-in-
> shibboleth-idp.html

Which is not our documentation and not anything I'm going to read or comment on.

> and https://wiki.shibboleth.net/confluence/display/IDP30/DuoAuthnConfiguration

That's only half the picture. You have to use the MFA flow as a driver for the logic to apply for when to trigger both factors, which is documented in its own right in its own topic, and it comes with examples that are directly adaptable to use Duo as the second factor, you just transplant IPAddress + Password in the shipped example to Password + Duo instead, at least as a starting point.

> The idp-process.log shows that I am having problems as follows:

That's entirely non-specific, but it suggests you aren't using the MFA flow or at least not using it correctly, so I would have to suggest you start with that documentation. If the setting in idp.properties to control which login flow to run doesn't have only the MFA flow active, you're probably not doing things as documented. If you do, then you probably have something misconfigured in the supportedPrincipals collections for the various flows in general-authn.xml that aren't fitting together.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth 3.3.3 and Duo MFA Issue

Alexandre Adao
Thank you for your fast response.

On Thu, Jul 19, 2018 at 4:38 PM Cantor, Scott <[hidden email]> wrote:
> I am running Shibboleth Idp version 3.3.3. I am trying configure Shibboleth
> with Duo MFA. I followed the instructions from both sources:
> https://mimoto.co.uk/shibboleth-idp/duo/mfa/2017/06/01/duo-mfa-in-
> shibboleth-idp.html

Which is not our documentation and not anything I'm going to read or comment on.

> and https://wiki.shibboleth.net/confluence/display/IDP30/DuoAuthnConfiguration

That's only half the picture. You have to use the MFA flow as a driver for the logic to apply for when to trigger both factors, which is documented in its own right in its own topic, and it comes with examples that are directly adaptable to use Duo as the second factor, you just transplant IPAddress + Password in the shipped example to Password + Duo instead, at least as a starting point.

> The idp-process.log shows that I am having problems as follows:

That's entirely non-specific, but it suggests you aren't using the MFA flow or at least not using it correctly, so I would have to suggest you start with that documentation. If the setting in idp.properties to control which login flow to run doesn't have only the MFA flow active, you're probably not doing things as documented. If you do, then you probably have something misconfigured in the supportedPrincipals collections for the various flows in general-authn.xml that aren't fitting together.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]