"Insufficient Authentication" when using with RemoteUser login handler

[lhoekenga]

I've installed the overlay on IDP 3.3.1 and it appears to be active. When I try to log in, the IDP present an error in the browser ("An error occurred: InsufficientAuthenticationException")

2017-04-05 15:11:57,023 - ERROR [org.springframework.security.authentication.InsufficientAuthenticationException:76] - 141.213.171.221 - org.springframework.security.authentication.InsufficientAuthenticationException: User must be authenticated with Spring Security before authorization can be completed. at org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(AuthorizationEndpoint.java:138)

and I see this in the error log. I'm guessing the Shib RemoteUser handler isn't going through spring security?

[mmoayyed]

You may very well be right. I don't think the overlay considers the remote-user, though I speculate that with a few tricks to the web.xml, you might be able to make this work.

[lhoekenga]

On Tue, Apr 11, 2017 at 10:25 AM, Misagh Moayyed notifications@github.com wrote:

You may very well be right. I don't think the overlay considers the remote -user, though I speculate that with a few tricks to the web.xml, you might be able to make this work.

I don't suppose you can share any pointers?

Liam

[lhoekenga]

On Thu, May 4, 2017 at 3:41 PM, Liam Hoekenga liamr@umich.edu wrote:

You may very well be right. I don't think the overlay considers the remote -user, though I speculate that with a few tricks to the web.xml, you might be able to make this work.

Actually, I get the problem using the password authentication flow too:

2017-05-04 17:00:01,980 - ERROR [org.springframework.security.authentication.InsufficientAuthenticationException:76]

• xxx.xxx.xxx.xxx - org.springframework.security.authentication.InsufficientAuthenticationException: User must be authenticated with Spring Security before authorization can be completed. at org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(AuthorizationEndpoint.java:138)

[lhoekenga]

On Thu, May 4, 2017 at 4:01 PM, Liam Hoekenga liamr@umich.edu wrote:

Actually, I get the problem using the password authentication flow too:

Nevermind... it looks like I skipped the mvc-beans.xml step. I got further with password than i had.

Things are still amis back in the land of RemoteUser..

2017-05-04 17:31:00,048 - DEBUG [net.shibboleth.idp.oidc.flow.CheckAuthenticationRequiredAction:84] - - Profile Action CheckAuthenticationRequiredAction: Checking whether authentication is required 2017-05-04 17:31:00,048 - DEBUG [net.shibboleth.idp.oidc.flow.CheckAuthenticationRequiredAction:129] - - IdP session not found 2017-05-04 17:31:00,049 - DEBUG [net.shibboleth.idp.oidc.flow.BuildAuthenticationContextAction:97] - - Profile Action BuildAuthenticationContextAction: Building authentication context 2017-05-04 17:31:00,050 - DEBUG [net.shibboleth.idp.oidc.flow.BuildAuthenticationContextAction:118] - - Authentication context does not require force authN for client 2017-05-04 17:31:00,224 - DEBUG [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:200] - - Profile Action PopulateAuthenticationContext: Installed 3 potential authentication flows into AuthenticationContext 2017-05-04 17:31:00,242 - DEBUG [net.shibboleth.idp.session.impl.PopulateSessionContext:133] - - Profile Action PopulateSessionContext: No session found for client 2017-05-04 17:31:00,302 - DEBUG [net.shibboleth.idp.authn.impl.InitializeRequestedPrincipalContext:117] -

• Profile Action InitializeRequestedPrincipalContext: Leaving existing RequestedPrincipalContext in place 2017-05-04 17:31:00,327 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByForcedAuthn:53] - - Profile Action FilterFlowsByForcedAuthn: Request does not have forced authentication requirement, nothing to do 2017-05-04 17:31:00,352 - DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:53] - - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do 2017-05-04 17:31:00,375 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:370] - - Profile Action SelectAuthenticationFlow: Specific principals requested with 'exact' operator: [AuthnContextClassRefPrincipal{authnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport}] 2017-05-04 17:31:00,382 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:386] - - Profile Action SelectAuthenticationFlow: No active results available, selecting an inactive flow 2017-05-04 17:31:00,383 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:407] - - Profile Action SelectAuthenticationFlow: Checking for an inactive flow compatible with operator 'exact' and principal 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' 2017-05-04 17:31:00,384 - DEBUG [net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactoryRegistry:82]
  • • Registry located predicate factory of type 'net.shibboleth.idp.authn.principal.impl.ExactPrincipalEvalPredicateFactory' for principal type 'class net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal' and operator 'exact' 2017-05-04 17:31:00,389 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:338] - - Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/RemoteUserInternal 2017-05-04 17:31:00,586 - DEBUG [net.shibboleth.idp.authn.impl.ExtractRemoteUser:161] - - Profile Action ExtractRemoteUser: No user identity found in request 2017-05-04 17:31:00,597 - INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:129] - - Profile Action SelectAuthenticationFlow: Moving incomplete flow authn/RemoteUserInternal to intermediate set 2017-05-04 17:31:00,598 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:370] - - Profile Action SelectAuthenticationFlow: Specific principals requested with 'exact' operator: [AuthnContextClassRefPrincipal{authnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport}] 2017-05-04 17:31:00,598 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:386] - - Profile Action SelectAuthenticationFlow: No active results available, selecting an inactive flow 2017-05-04 17:31:00,599 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:407] - - Profile Action SelectAuthenticationFlow: Checking for an inactive flow compatible with operator 'exact' and principal 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' 2017-05-04 17:31:00,599 - DEBUG [net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactoryRegistry:82]
  • • Registry located predicate factory of type 'net.shibboleth.idp.authn.principal.impl.ExactPrincipalEvalPredicateFactory' for principal type 'class net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal' and operator 'exact' 2017-05-04 17:31:00,600 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:338] - - Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/remoteuserplus 2017-05-04 17:31:01,293 - INFO [net.shibboleth.idp.authn.impl.RemoteUserAuthServlet:257] - xxx.xxx.xxx.xxx
  • User identity not found in request 2017-05-04 17:31:01,433 - INFO [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:152] - xxx.xxx.xxx.xxx - Profile Action ValidateExternalAuthentication: External authentication failed, no user identity or error information returned 2017-05-04 17:31:01,565 - INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:129] - xxx.xxx.xxx.xxx - Profile Action SelectAuthenticationFlow: Moving incomplete flow authn/remoteuserplus to intermediate set 2017-05-04 17:31:01,569 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:370] - xxx.xxx.xxx.xxx - Profile Action SelectAuthenticationFlow: Specific principals requested with 'exact' operator: [AuthnContextClassRefPrincipal{authnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport}] 2017-05-04 17:31:01,569 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:386] - xxx.xxx.xxx.xxx - Profile Action SelectAuthenticationFlow: No active results available, selecting an inactive flow 2017-05-04 17:31:01,570 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:407] - xxx.xxx.xxx.xxx - Profile Action SelectAuthenticationFlow: Checking for an inactive flow compatible with operator 'exact' and principal 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' 2017-05-04 17:31:01,574 - DEBUG [net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactoryRegistry:82]
  • xxx.xxx.xxx.xxx - Registry located predicate factory of type 'net.shibboleth.idp.authn.principal.impl.ExactPrincipalEvalPredicateFactory' for principal type 'class net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal' and operator 'exact' 2017-05-04 17:31:01,575 - INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:428] - xxx.xxx.xxx.xxx - Profile Action SelectAuthenticationFlow: None of the potential authentication flows can satisfy the request 2017-05-04 17:31:01,593 - ERROR [org.springframework.webflow.execution.FlowExecutionException:76] - xxx.xxx.xxx.xxx - org.springframework.webflow.execution.FlowExecutionException: Exception thrown in state 'doAuthenticationSubflow' of flow 'oidc/login' at org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573) Caused by: java.lang.IllegalArgumentException: Cannot find state with id 'RequestUnsupported' in flow 'oidc/login' -- Known state ids are 'array['initializeLogin', 'clientStorageLoad', 'continueLogin', 'checkAuthenticationRequired', 'checkInitialAuthenticationRequired', 'preInitialSetup', 'doInitialAuthenticationSubflow', 'postInitialSetup', 'buildAuthenticationContext', 'doAuthenticationSubflow', 'checkResolveAttributes', 'checkForSubjectContext', 'populateSubjectContext', 'resolveAttributes', 'attributeResolution', 'doPreAuthorizeUserApprovalAction', 'doPostAuthnInterceptSubflow', 'buildResponse', 'clientStorageSave', 'doPostAuthorizeUserApprovalAction', 'redirectResponse', 'done', 'error']' at org.springframework.webflow.engine.Flow.getStateInstance(Flow.java:342)

[mmoayyed]

We might need to set up some sort of session so I can review this with you. Or at least learn more about your setup so I can duplicate it on my end. That sound like a good idea? Possible dates/times besides today and next Monday?

[lhoekenga]

Pretty much any afternoon next week. If it's later in the week, I can confirm that my build works with the Password flow before tackling RemoteUser.

Liam

On Fri, May 5, 2017 at 11:03 AM, Misagh Moayyed notifications@github.com wrote:

We might need to set up some sort of session so I can review this with you. Or at least learn more about your setup so I can duplicate it on my end. That sound like a good idea? Possible dates/times besides today and next Monday?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/uchicago/shibboleth-oidc/issues/40#issuecomment-299505416, or mute the thread https://github.com/notifications/unsubscribe-auth/AA-SK19sZGczmV1Qh28xgcuO3jSSZtueks5r20hAgaJpZM4M6Nxo .

[mmoayyed]

OK. I am generally around until 3pm EDT. I'd prefer to this before next Thursday, but once you get confirmation please ping the same thread and we'll set something up.

I am also at mmoayyed@unicon.net if you wanted to reach out privately.

[lhoekenga]

I think that we addressed most of this by calling out the individual OIDC endpoints in the filter-mapping in web.xml