Menu
▾
▴
Re: [Unity-idm-discuss] dynamic expression for MFA is not working
|
From: Krzysztof B. <kb...@un...> - 2024-12-09 17:09:32
|
Hi Sander, W dniu 5.12.2024 o 12:40, Sander Apweiler pisze: > Hello Krzysztof, > hello Roman, > > after our IdP starts releasing MFA usage information, we started to > test the dynamic expression on MFA. We started with a simple condition > that local second factor should only be used, if the REFEDS profile > information is not available (see screenshot). Sadly unity shows that > no second factor is configured, althought the information was released > by the IdP. Sadly we do not see anything in the logs. 1. we have tested something that you described and works as expected. 2. to make progress can you please check some details of what is logged during such failed authentication, with the following loggers set to TRACE: unity.server.authn.AuthenticationFlowPolicyConfigMVELContextBuilder unity.server.authn.AuthenticationProcessor unicore.security.dsig.DigSignatureUtil unity.server.saml.SamlServletExtractionUtils (naturally just for such authN, this will generate a lot of noise in logs) the first one is the most important, will allow us to limit our searching to one of two big parts of the process. The other are to check early SAML side: see the actual SAML response and how it is parsed. So in general I'd love to see the response message, and what goes into authn flow. Also we noticed one thing which is bit surprising on your last screenshot: ACR is reported as attribute. That is very narrow part of log, so a lot of guessing on our side, but can you additionally share whether you have some input profile settings that manipulate ACR? or maybe the ACR is received as a plain attribute? Cheers, Krzysztof |
