MKodde
commented
3 months ago @tvdijen Thanks for your observation. In this case this is not an actual bug. But something we do intentional. The different types authentications (SSO+StepUp, SecondFactorOnly, GSSP second factor authentcation) are built in such a way that only one of the three flavours can be handed by the gateway at one time.
You can see this happening here:
We have considered to allow multiple in flight authentications which are tracked on the Request id of the SAML messages. But that opens whole other realm of complexities and possible exploitation avenues.
Do SSP IdP/SP's allow for handling multiple AuthnRequests for a single user from a concurrent browser session?
tvdijen
Scenario:
I have two instances of Engineblock that share the same instance of Stepup for MFA. I open two tabs to Manage on both EB-instances. Manage is configured to require MFA. On both tabs the token selection-page is shown. I authenticate using a Yubikey on one, then again on the second tab.
Issue: After MFA authentication on the second one, it redirects me to the wrong EB-instance. This leads to a 'Session lost' page. It seems as if Gateway is unable to distinguish the two authentication flows.
Expected: Gateway should be able to distinguish the two authentication flow based on the message IDs.