New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Insufficient Authentication" when using with RemoteUser login handler #40
Comments
You may very well be right. I don't think the overlay considers the remote-user, though I speculate that with a few tricks to the web.xml, you might be able to make this work. |
On Tue, Apr 11, 2017 at 10:25 AM, Misagh Moayyed ***@***.***> wrote:
You may very well be right. I don't think the overlay considers the remote
-user, though I speculate that with a few tricks to the web.xml, you
might be able to make this work.
I don't suppose you can share any pointers?
Liam
|
On Thu, May 4, 2017 at 3:41 PM, Liam Hoekenga ***@***.***> wrote:
You may very well be right. I don't think the overlay considers the remote
-user, though I speculate that with a few tricks to the web.xml, you
might be able to make this work.
Actually, I get the problem using the password authentication flow too:
2017-05-04 17:00:01,980 - ERROR
[org.springframework.security.authentication.InsufficientAuthenticationException:76]
- xxx.xxx.xxx.xxx -
org.springframework.security.authentication.InsufficientAuthenticationException:
User must be authenticated with Spring Security before authorization can be
completed.
at
org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(AuthorizationEndpoint.java:138)
|
On Thu, May 4, 2017 at 4:01 PM, Liam Hoekenga ***@***.***> wrote:
Actually, I get the problem using the password authentication flow too:
Nevermind... it looks like I skipped the mvc-beans.xml step. I got further
with password than i had.
Things are still amis back in the land of RemoteUser..
2017-05-04 17:31:00,048 - DEBUG
[net.shibboleth.idp.oidc.flow.CheckAuthenticationRequiredAction:84] - -
Profile Action CheckAuthenticationRequiredAction: Checking whether
authentication is required
2017-05-04 17:31:00,048 - DEBUG
[net.shibboleth.idp.oidc.flow.CheckAuthenticationRequiredAction:129] - -
IdP session not found
2017-05-04 17:31:00,049 - DEBUG
[net.shibboleth.idp.oidc.flow.BuildAuthenticationContextAction:97] - -
Profile Action BuildAuthenticationContextAction: Building authentication
context
2017-05-04 17:31:00,050 - DEBUG
[net.shibboleth.idp.oidc.flow.BuildAuthenticationContextAction:118] - -
Authentication context does not require force authN for client
2017-05-04 17:31:00,224 - DEBUG
[net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:200] - -
Profile Action PopulateAuthenticationContext: Installed 3 potential
authentication flows into AuthenticationContext
2017-05-04 17:31:00,242 - DEBUG
[net.shibboleth.idp.session.impl.PopulateSessionContext:133] - - Profile
Action PopulateSessionContext: No session found for client
2017-05-04 17:31:00,302 - DEBUG
[net.shibboleth.idp.authn.impl.InitializeRequestedPrincipalContext:117] -
- Profile Action InitializeRequestedPrincipalContext: Leaving existing
RequestedPrincipalContext in place
2017-05-04 17:31:00,327 - DEBUG
[net.shibboleth.idp.authn.impl.FilterFlowsByForcedAuthn:53] - - Profile
Action FilterFlowsByForcedAuthn: Request does not have forced
authentication requirement, nothing to do
2017-05-04 17:31:00,352 - DEBUG
[net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:53] - -
Profile Action FilterFlowsByNonBrowserSupport: Request does not have
non-browser requirement, nothing to do
2017-05-04 17:31:00,375 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:370] - - Profile
Action SelectAuthenticationFlow: Specific principals requested with 'exact'
operator:
[AuthnContextClassRefPrincipal{authnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport}]
2017-05-04 17:31:00,382 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:386] - - Profile
Action SelectAuthenticationFlow: No active results available, selecting an
inactive flow
2017-05-04 17:31:00,383 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:407] - - Profile
Action SelectAuthenticationFlow: Checking for an inactive flow compatible
with operator 'exact' and principal
'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
2017-05-04 17:31:00,384 - DEBUG
[net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactoryRegistry:82]
- - Registry located predicate factory of type
'net.shibboleth.idp.authn.principal.impl.ExactPrincipalEvalPredicateFactory'
for principal type 'class
net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal' and
operator 'exact'
2017-05-04 17:31:00,389 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:338] - - Profile
Action SelectAuthenticationFlow: Selecting inactive authentication flow
authn/RemoteUserInternal
2017-05-04 17:31:00,586 - DEBUG
[net.shibboleth.idp.authn.impl.ExtractRemoteUser:161] - - Profile Action
ExtractRemoteUser: No user identity found in request
2017-05-04 17:31:00,597 - INFO
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:129] - - Profile
Action SelectAuthenticationFlow: Moving incomplete flow
authn/RemoteUserInternal to intermediate set
2017-05-04 17:31:00,598 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:370] - - Profile
Action SelectAuthenticationFlow: Specific principals requested with 'exact'
operator:
[AuthnContextClassRefPrincipal{authnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport}]
2017-05-04 17:31:00,598 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:386] - - Profile
Action SelectAuthenticationFlow: No active results available, selecting an
inactive flow
2017-05-04 17:31:00,599 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:407] - - Profile
Action SelectAuthenticationFlow: Checking for an inactive flow compatible
with operator 'exact' and principal
'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
2017-05-04 17:31:00,599 - DEBUG
[net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactoryRegistry:82]
- - Registry located predicate factory of type
'net.shibboleth.idp.authn.principal.impl.ExactPrincipalEvalPredicateFactory'
for principal type 'class
net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal' and
operator 'exact'
2017-05-04 17:31:00,600 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:338] - - Profile
Action SelectAuthenticationFlow: Selecting inactive authentication flow
authn/remoteuserplus
2017-05-04 17:31:01,293 - INFO
[net.shibboleth.idp.authn.impl.RemoteUserAuthServlet:257] - xxx.xxx.xxx.xxx
- User identity not found in request
2017-05-04 17:31:01,433 - INFO
[net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:152] -
xxx.xxx.xxx.xxx - Profile Action ValidateExternalAuthentication: External
authentication failed, no user identity or error information returned
2017-05-04 17:31:01,565 - INFO
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:129] -
xxx.xxx.xxx.xxx - Profile Action SelectAuthenticationFlow: Moving
incomplete flow authn/remoteuserplus to intermediate set
2017-05-04 17:31:01,569 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:370] -
xxx.xxx.xxx.xxx - Profile Action SelectAuthenticationFlow: Specific
principals requested with 'exact' operator:
[AuthnContextClassRefPrincipal{authnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport}]
2017-05-04 17:31:01,569 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:386] -
xxx.xxx.xxx.xxx - Profile Action SelectAuthenticationFlow: No active
results available, selecting an inactive flow
2017-05-04 17:31:01,570 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:407] -
xxx.xxx.xxx.xxx - Profile Action SelectAuthenticationFlow: Checking for an
inactive flow compatible with operator 'exact' and principal
'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
2017-05-04 17:31:01,574 - DEBUG
[net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactoryRegistry:82]
- xxx.xxx.xxx.xxx - Registry located predicate factory of type
'net.shibboleth.idp.authn.principal.impl.ExactPrincipalEvalPredicateFactory'
for principal type 'class
net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal' and
operator 'exact'
2017-05-04 17:31:01,575 - INFO
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:428] -
xxx.xxx.xxx.xxx - Profile Action SelectAuthenticationFlow: None of the
potential authentication flows can satisfy the request
2017-05-04 17:31:01,593 - ERROR
[org.springframework.webflow.execution.FlowExecutionException:76] -
xxx.xxx.xxx.xxx -
org.springframework.webflow.execution.FlowExecutionException: Exception
thrown in state 'doAuthenticationSubflow' of flow 'oidc/login'
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
Caused by: java.lang.IllegalArgumentException: Cannot find state with id
'RequestUnsupported' in flow 'oidc/login' -- Known state ids are
'array<String>['initializeLogin', 'clientStorageLoad', 'continueLogin',
'checkAuthenticationRequired', 'checkInitialAuthenticationRequired',
'preInitialSetup', 'doInitialAuthenticationSubflow', 'postInitialSetup',
'buildAuthenticationContext', 'doAuthenticationSubflow',
'checkResolveAttributes', 'checkForSubjectContext',
'populateSubjectContext', 'resolveAttributes', 'attributeResolution',
'doPreAuthorizeUserApprovalAction', 'doPostAuthnInterceptSubflow',
'buildResponse', 'clientStorageSave', 'doPostAuthorizeUserApprovalAction',
'redirectResponse', 'done', 'error']'
at org.springframework.webflow.engine.Flow.getStateInstance(Flow.java:342)
|
We might need to set up some sort of session so I can review this with you. Or at least learn more about your setup so I can duplicate it on my end. That sound like a good idea? Possible dates/times besides today and next Monday? |
Pretty much any afternoon next week.
If it's later in the week, I can confirm that my build works with the
Password flow before tackling RemoteUser.
Liam
…On Fri, May 5, 2017 at 11:03 AM, Misagh Moayyed ***@***.***> wrote:
We might need to set up some sort of session so I can review this with
you. Or at least learn more about your setup so I can duplicate it on my
end. That sound like a good idea? Possible dates/times besides today and
next Monday?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#40 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA-SK19sZGczmV1Qh28xgcuO3jSSZtueks5r20hAgaJpZM4M6Nxo>
.
|
OK. I am generally around until 3pm EDT. I'd prefer to this before next Thursday, but once you get confirmation please ping the same thread and we'll set something up. I am also at mmoayyed@unicon.net if you wanted to reach out privately. |
I think that we addressed most of this by calling out the individual OIDC endpoints in the filter-mapping in web.xml |
I've installed the overlay on IDP 3.3.1 and it appears to be active. When I try to log in, the IDP present an error in the browser ("An error occurred: InsufficientAuthenticationException")
2017-04-05 15:11:57,023 - ERROR [org.springframework.security.authentication.InsufficientAuthenticationException:76] - 141.213.171.221 -
org.springframework.security.authentication.InsufficientAuthenticationException: User must be authenticated with Spring Security before authorization can be completed.
at org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(AuthorizationEndpoint.java:138)
and I see this in the error log. I'm guessing the Shib RemoteUser handler isn't going through spring security?
The text was updated successfully, but these errors were encountered: