Affects Version/s: 3.3.1
Fix Version/s: None
Oracle Linux 6 running Oracle Java 8u141 with tomcat8.0.45 and shibboleth 3.3.1. Primary authentication against eDirectory. Using the Shibboleth-provided duo plugin (not 3rd party)
Java Version:Oracle Java 8
Servlet Container:Apache Tomcat 8
conf/authn/ldap-authn-config.xml has been modified to use the following Authentication response handler
<bean id="eDirAuthenticationResponseHandler" class="org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler">
<!-- warning window -->
<constructor-arg index="0" value="120" type="int" />
so that we can appropriately time our expiringPassword warning to 120 hrs from expiration.
Duo has been configured in the standard manner, using https://wiki.shibboleth.net/confluence/display/IDP30/DuoAuthnConfiguration#DuoAuthnConfiguration-GeneralConfiguration as a guide.
We have set idp.authn.LDAP.resolveEntryOnFailure = true
when a user gets the expiring password warning page, we allow them to skip the warning by creating this link in the velocity template
but when the user attempts to continue to that link the following exception is thrown in IDP logs
2017-07-31 12:09:23,612 - ERROR [net.shibboleth.idp.authn.duo:-2] - DuoWebExcept
org.springframework.expression.ExpressionInvocationTargetException: A problem oc
curred when trying to execute method 'generateSignedRequestToken' on object of t
Caused by: com.duosecurity.duoweb.DuoWebException: ERR|The username passed to si
gn_request() is invalid.
2017-07-31 12:09:23,640 - WARN [org.opensaml.profile.action.impl.LogEvent:105] -
A non-proceed event occurred while processing the request: AuthenticationExcept
Which in turn throws an opensaml error on the SP due to the authncontext not being fufilled.