forceAuth causing SAML authnFail messages to be transmitted

[langedb]

We have an SP here which is sending forceAuth requests. The MCB seems to send the SP an authFail message rather than causing the login screen to be re-displayed.

[langedb]

The other issue we're having in regards to forceAuth is that since the UserPrincipal object is preserved, it's causing the method chooser screen to appear for our users if they have multiple methods that satisfy the AuthnContextClassRef. This is undesirable as during the initial login the InitialAuthContext is what we want the user to be forceAutn'd to and not Duo.

[paulhethmon]

I did some testing with this and I believe the fix is to pull and flow the Principal thru authentication. In my tests this prevents the SAML error from being sent and requires the user to re-authenticate at the proper context level.

Pull the current code and see if this fixes the issue for you.

[langedb]

It doesn't quite fix the issue. Yes, it will do the force on the context that the user selects, but if the context happens to be something like Duo it will only do the Duo portion. What we need it to do in that case is also force the InitialAuthnContext to fire too. I know it's not exactly spec specific, but ideally what I'd like to see here is the session completely destroyed & rebuilt.

On Wed, Jun 4, 2014 at 7:19 PM, paulhethmon notifications@github.com wrote:

I did some testing with this and I believe the fix is to pull and flow the Principal thru authentication. In my tests this prevents the SAML error from being sent and requires the user to re-authenticate at the proper context level.

Pull the current code and see if this fixes the issue for you.

— Reply to this email directly or view it on GitHub https://github.com/Internet2/Shibboleth-Multi-Context-Broker/issues/8#issuecomment-45171495 .

David Langenberg Identity & Access Management The University of Chicago

[langedb]

University of Chicago and University of Alaska have moved forward with productionizing PR #9 and it's handling of forceAuthn as that provides the UX we need from the feature. Is there some way we could either make that the default behavior of a forceAuthn request even though technically it isn't spec-compliant or alternately a configurable switch in the MCB?

[paulhethmon]

Version 1.2.0 will include a change to accomplish the desired behavior. When forceAuthn is requested, the state of the Principal object is reset. Only the Principal Name is retained. This will force the MCB to perform full regular authentication since no authentication information is retained from the previous session.

Related is a new option to specify MCB behavior when the Principal Name changes during a session. Choices are to allow any changes, only changes in case of the principal name, or no changes at all.

Code is committed for 1.2.0 but is not released yet as other issues are still outstanding for the release.