[Shib-Users] Error with forceAuthn option
jsa...@uchicago.edu
opensaml::FatalProfileException at (https://(hostname)/Shibboleth.sso/SAML2/POST)
SAML response contained an error.
Error from identity provider:
Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
I was unable to find any other relevant error in the IdP and SP logs.
Sequence of events:
1. Try to access protected resource.
2. Redirected to shib login: https://(hostname)/Shibboleth.sso/Login?acsIndex=1&target=https://(hostname)/shib/index.php
3. Authenticated normally, redirected back to my application.
4. I now wish to force re-authentication, so I go to the following URL: https://(hostname)/Shibboleth.sso/Login?acsIndex=1&target=https://(hostname)/shib/index.php&forceAuthn=true
...which results in the above error.
If I strip off the &forceAuthn=true, I remain authenticated and am
redirected back to the target normally.
The shibd logs indicate that the only difference in the AuthnRequest
between a working and non-working state is the existence of ForceAuthn="1":
With forceAuthn: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="1" Destination="https://shibboleth2.uchicago.edu/idp/profile/SAML2/Redirect/SSO" ForceAuthn="1" ID="_563527f6394bf11d21176bb7e33b7bbf" IssueInstant="2009-05-15T16:13:32Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://(hostname)/shib</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
Without: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="1" Destination="https://shibboleth2.uchicago.edu/idp/profile/SAML2/Redirect/SSO" ID="_35093e02fdadfa61abb75db8c0158813" IssueInstant="2009-05-15T16:20:13Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://(hostname)/shib</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
Does anyone know what might be causing this error to appear? Is anyone else using this option successfully? We've tried every configuration option we could think of, but if ForceAuthn="1" ever ends up in the AuthnRequest, we get the error.
Environment:
SP: 2.2, r2986
IdP: 2.1
I have shibd logs for both the working and non-working case, and can post them if it would be helpful.
Thank you for your attention.
- Justin
Scott Cantor
Are you using a login handler at the IdP that supports forced authentication
and is it configured to recognize that?
> I have shibd logs for both the working and non-working case, and can post
> them if it would be helpful.
The SP has nothing to do with it. It's just reporting the result the IdP
returns.
(Using any of the advanced options pretty much demands using
redirection-based error handling or you'll just get useless error pages and
confused users.)
-- Scott
Justin Sante
Thank you for your suggestion, it turns out that the login handler we're using, Pubcookie, doesn't support forced authentication. We're holding off on this feature until we can get a new login handler installed.
Thanks again,
- Justin.
Jim Fox
Pubcookie does support forced reauth. It's the default remote-user
login handler that doesn't. If you're interested I have a login
handler that supports forced reauth and works with pubcookie.
Jim
On Thu, 21 May 2009, Justin Sante wrote:
> Date: Thu, 21 May 2009 09:18:13 -0700
> From: Justin Sante <jsa...@uchicago.edu>
> To: "shibbole...@internet2.edu" <shibbole...@internet2.edu>
> Reply-To: "shibbole...@internet2.edu" <shibbole...@internet2.edu>
> Subject: Re: [Shib-Users] Error with forceAuthn option