search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
727 stars 713 forks source link

Adaptive MFA Authentication and user mandatory claims #12277

Open Kktheoch opened 2 years ago

Kktheoch commented 2 years ago

Describe the issue:

I have configured SMS OTP IdP as described here and set up 2 step MFA for authentication for a given Service Provider (Basic Authentication as first step and SMS OTP as second). My service provider contains a few (local) claims mapped for our use case. I have enabled advanced configuration and edited the Adaptive Script to this (essentially unmodified from the original version)

var onLoginRequest = function(context) { 
    executeStep(1);
    executeStep(2);
}

During login attempts if there is at least 1 failed attempt at login during the basic authentication flow the user is presented with the "Fill mandatory claims" screen once successfully authenticated. This is not supposed to happen as all claims already have values for every user in our system. If I completely remove the adaptive script (which is essentially filled again by the IDS) this is working as expected and the user is never presented with the screen. I think it's worth noting that this also works as expected as long as the user doesn't fail the very first time in the Basic Authentication flow.

How to reproduce: 1) Set up an SMS OTP provider as IdP. Unclear if it's relevant to a specific provider, it shouldn't. 2) Create a service provider with SAML2 Web SSO configuration. 3) Add local claim mappings and set them as Mandatory. Ensure that the test users has valid values for all of those claims. 4) Enable Advanced Configuration in Local Authentication Configuration for this SP. 5) Add Basic Authenticator as first step and your SMS OTP IdP as second step. Enable 'Use attributes from this step' in step 1. 6) Copy the provided script as Adaptive authentication script. 7) Attempt to login on the SP with your username/password failing the first attempt. 8) Complete the authentication. You are presented with a "Set mandatory claims for this Service Provider" screen.

Expected behavior: User should be able to login without being asked about his claims.

Environment information (Please complete the following information; remove any unnecessary fields) :

Optional Fields

Related issues:

Suggested labels:

Kktheoch commented 2 years ago

Can someone at least confirm that this is bug and not something on our end?