AuthnInstant is updated even when authentication doesn't happen
Description
Environment
Activity
ChadCSeptember 28, 2009 at 2:03 AMEdited
Fixed in rev 2894
Scott CantorSeptember 3, 2009 at 2:41 PM
Related bug is that the feature to preserve the original AuthnContext/AuthnMethod appears to be unusable. Regardless of the reportPreviousSessionAuthnMethod flag, the method ends up set to PreviousSession in the assertion if that login handler gets used.
I think this is because of the code in the AuthenticationEngine at line 251:
if (idpSession != null && possibleLoginHandlers.containsKey(AuthnContext.PREVIOUS_SESSION_AUTHN_CTX)) {
loginContext.setAttemptedAuthnMethod(AuthnContext.PREVIOUS_SESSION_AUTHN_CTX);
loginHandler = possibleLoginHandlers.get(AuthnContext.PREVIOUS_SESSION_AUTHN_CTX);
} else {
It sets the attempted method, and that probably defaults in as the method used if the handler doesn't override it. So we're hiding both the original context and the timestamp with the current code when SSO gets done.
Scott CantorSeptember 3, 2009 at 12:00 PM
The proximate cause is line 618 of AuthenticationEngine.java:
AuthenticationMethodInformation authnMethodInfo = new AuthenticationMethodInformationImpl(idpSession
.getSubject(), authenticationPrincipal, authenticationMethod, new DateTime(), loginHandler
.getAuthenticationDuration());
loginContext.setAuthenticationMethodInformation(authnMethodInfo);
The "new DateTime() parameter could be conditionally used if the method is set to PreviousSession, but I don't know if the original timestamp is preserved, or where. Possibly by just interrogating the Session before updating it?
So something like:
DateTime instant;
if (authenticationMethod.equals("urn:....:PreviousSession"))
instant = new DateTime();
else
instant = loginContext.getAuthenticationMethodInformation().getAuthenticationInstant();
That only works if the LoginContext has that info object populated ahead of time, don't know if that's true or not.
Martin SmithSeptember 3, 2009 at 11:50 AMEdited
Scott Cantor wrote on 2009-09-03:
Martin B. Smith wrote on 2009-09-02:
> > Before I filed a bug, I wanted to see if anyone else could reproduce
> > this on a 2.1.2 IdP, or if anyone noticed that it didn't happen before
> > the 2.1.2 IdP, i.e. has the behavior changed?
As of at least 2.1.3, there's a bug. I can change the asserted context class
in the PreviousSession handler to PasswordProtectedTransport, but doing so
doesn't prevent the AuthnInstant from refreshing. That should be the
trigger, I would think.
You should file a bug on this.
– Scott
We're having some SPs report that they are seeing HTTP_SHIB_AUTHENTICATION_INSTANT get an updated value for users that are getting redirected from an SP to our IdP and back, even when the user didn't have to re-authenticate (seamless redirects from a user perspective).
I assumed that HTTP_SHIB_AUTHENTICATION_INSTANT / AuthnInstant was only updated when the user entered credentials and those credentials were checked, not simply when the SP establishes a new session from an existing IdP session. After reading SAML2 spec, I still think my assumption is correct.