Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-1201

eDir password expiriy warning breaks duo flow

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Invalid
    • Affects Version/s: 3.3.1
    • Fix Version/s: None
    • Component/s: Authentication, Duo
    • Environment:

      Oracle Linux 6 running Oracle Java 8u141 with tomcat8.0.45 and shibboleth 3.3.1. Primary authentication against eDirectory. Using the Shibboleth-provided duo plugin (not 3rd party)

    • Operating System:
      Multiple
    • Java Version:
      Oracle Java 8
    • Servlet Container:
      Apache Tomcat 8

      Description

      conf/authn/ldap-authn-config.xml has been modified to use the following Authentication response handler
      <bean id="eDirAuthenticationResponseHandler" class="org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler">
      <!-- warning window -->
      <constructor-arg index="0" value="120" type="int" />

      </bean>
      so that we can appropriately time our expiringPassword warning to 120 hrs from expiration.

      Duo has been configured in the standard manner, using https://wiki.shibboleth.net/confluence/display/IDP30/DuoAuthnConfiguration#DuoAuthnConfiguration-GeneralConfiguration as a guide.

      The mfa-authn-config.xml javascript section simply returns nextFlow="authn/Duo" for now as a placeholder for more complex logic.

      We have set idp.authn.LDAP.resolveEntryOnFailure = true

      when a user gets the expiring password warning page, we allow them to skip the warning by creating this link in the velocity template
      href="$flowExecutionUrl&_eventId_proceed=1"
      but when the user attempts to continue to that link the following exception is thrown in IDP logs
      {{
      2017-07-31 12:09:23,612 - ERROR [net.shibboleth.idp.authn.duo:-2] - DuoWebExcept
      ion
      org.springframework.expression.ExpressionInvocationTargetException: A problem oc
      curred when trying to execute method 'generateSignedRequestToken' on object of t
      ype [java.lang.Class]
      at org.springframework.expression.spel.ast.MethodReference.throwSimpleEx
      ceptionIfPossible(MethodReference.java:227)
      Caused by: com.duosecurity.duoweb.DuoWebException: ERR|The username passed to si
      gn_request() is invalid.
      at net.shibboleth.idp.authn.duo.impl.DuoSupport.generateSignedRequestTok
      en(DuoSupport.java:64)
      2017-07-31 12:09:23,640 - WARN [org.opensaml.profile.action.impl.LogEvent:105] -
      A non-proceed event occurred while processing the request: AuthenticationExcept
      ion
      }}

      Which in turn throws an opensaml error on the SP due to the authncontext not being fufilled.

        Attachments

          Activity

            People

            Assignee:
            cantor.2@osu.edu Scott Cantor
            Reporter:
            craigb@clemson.edu CRAIGB
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: