search

Unicon / shib-cas-authn3

Integrates an external CAS Server and Shibboleth IdPv3.
Apache License 2.0
22 stars 16 forks source link

Upgrade to IdP 3.3 flow definitions #18

Closed tsschmidt closed 7 years ago

tsschmidt commented 8 years ago

IdP 3.3 has been released. I tested the plugin with the new release and the functionality that was in 3.2.1 still works as expected. I tried using the plugin as part of the new MFA flow and the Duo would error out with a null pointer because username was null. Here is a possible explanation of the issue from Scott Cantor:

Overnight epiphany...if the flow you're using is based on the External flow, but is a copy of it, not just a servlet that's receiving and handling the external authentication request, it probably is a copy of the pre-3.3 flow that leaves out a step to get the user identity in place.

Older login flows are still compatible with 3.3, but the Duo flow's assumptions are only met by the modified versions of the flows that ship with 3.3. Specifically, I moved subject canonicalization into each login flow instead of relying on the master authn flow to handle it.

So yes, you're probably correct that there's a compatibility issue there.

jtgasper3 commented 8 years ago

@tsschmidt Thanks for the report.

Are you saying the cas-shib-authn3 needs to be upgraded to support 3.3.0 or the Duo flow needs to be upgraded. Which Duo module are you using Duo's, Unicon's, or the new "native" support?

tsschmidt commented 8 years ago

cas-shib-authn3 needs to be upgraded to support 3.3.0. It looks like the flow has been modified slightly to pull user name for the new MFA flow that allows for Duo or other 2FA providers. As it is now, the Shibcas flow is not compatible with the new MFA flow in the IdP.

On Tue, Nov 15, 2016 at 10:12 AM John Gasper notifications@github.com wrote:

@tsschmidt https://github.com/tsschmidt Thanks for the report.

Are you saying the cas-shib-authn3 needs to be upgraded to support 3.3.0 or the Duo flow needs to be upgraded. Which Duo module are you using Duo's, Unicon's, or the new "native" support?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Unicon/shib-cas-authn3/issues/18#issuecomment-260720142, or mute the thread https://github.com/notifications/unsubscribe-auth/AS0kvXEKP9bcqXVSbjUDamDOgGI1iqyEks5q-fYjgaJpZM4KysOm .

mmoayyed commented 8 years ago

This probably merits a 3.3 version of the plugin as well, plus a separate branch to move the current master into.

jwandrews4 commented 7 years ago

What modifications need to be made to the login flow of Shibcas to work with 3.3 flows specifically Duo?

jtgasper3 commented 7 years ago

Can you be more specific about what you are desiring to do? Most adopters manage/control Duo from the CAS side.

jtgasper3 commented 7 years ago

It should be said that the latest Shib-cas-authn3 release support IdP 3.3.0/3.3.1. This issue should have been closed at that time.

@jwandrews4 Can I ask that you create a new issue for your Duo questions?