When pac4j delegated AuthN fails ...

[Rich Renomeron]

I have a requirement to gracefully handle a failed delegated authentication scenario (from multiple providers).  A specific example of this when a SAML IdP returns an AuthnFailed in the (SAML) response.  

Based on my memory with 5.2 and 5.1 overlays, I would expect that, if configured correctly, I'd end up on the stopWebflow state when that happens.  But if I am reading the 5.3.5 code and my logs correctly, it seems that the DelegatedClientAuthenticationAction is now just throwing in IllegalArgumentException back to the web flow, which results in the generic error page.  That's not really what I want to show my users, especially when I need to give them a way back to the login page to try a different authN method and end up at the right service if the other attempt succeeds.

Is there a preferred way to handle an exception like that now?  I could just mod the generic error page to have a "go back to CAS login" link (like the stopWebflow error page does), but that's not ideal.  Or I could write some custom code to inject a ExceptionHander into the clientAction state (which I'm not succeeding with at the moment; I can't get my WebflowConfigurer to run after the clientAction state has been created).  Is there a reason why CAS doesn't seem to use the stopWebflow state to handle this any more? 

Thanks,
Rich

[Jérôme LELEU]

Hi,

Yes, it feels a bit too aggressive to return an IllegalArgumentException, but I think it makes sense as there is already a check via the hasDelegationRequestFailed method to know if the authentication has failed. The check may be incomplete though...

In fact, it's the responsibility of pac4j to handle cancelled/failed authentications and in that case, it returns a null credentials (for delegated authentications), but here, the CAS server takes over.

In any case, we should certainly avoid throwing an IllegalArgumentException when pac4j returns a null credentials.

How do you get the AuthnFailed SAML response?

Thanks.

Best regards,

Jérôme

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMYXOV9jf2bdAzXjpNA6JgxqmKfXpg49NWdFLt705nebUi4qKA%40mail.gmail.com.

[Rich Renomeron]

I have an Shibboleth IdP with a custom x509 authenticator that handles smartcard authN via Client Cert authentication over TLS. When there is no cert (after a reasonable number of retries and reminders to the user to stick the card in the reader, please and thank you), it returns an AuthN failed response to the RP, in this case CAS.  I chose to have it work this way because I wanted to minimize the UI for the Shibboleth IdP.

I have a workaround for now.  It might be a while before I have the bandwidth to figure out a PR to address it.

Thanks,
Rich

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwTfrvbBRV5n5vhbXTV%3DZ6Pte8qo6NNiQne1dBSF94F3Q%40mail.gmail.com.

--

Rich Renomeron, Project Lead
TCG, Inc. - Positively Distinct - CMMI-DEV Level 3 - CMMI-SVC Level 2 - ISO 9001:2015
+1 (202) 643-8460 | richard....@tcg.com | www.tcg.com