Menu
▾
▴
Re: [Unity-idm-discuss] dynamic expression for MFA is not working
|
From: Sander A. <sa....@fz...> - 2025-01-03 11:00:06
|
Hi Krzysztof, sorry for the long delay on my site. End of last year was very busy. I tried to reproduce the problem today with the additional loggers, but now it works on unity 4.0.4. Best regards, Sander On Mon, 2024-12-09 at 18:09 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 5.12.2024 o 12:40, Sander Apweiler pisze: > > Hello Krzysztof, > > hello Roman, > > > > after our IdP starts releasing MFA usage information, we started to > > test the dynamic expression on MFA. We started with a simple > > condition > > that local second factor should only be used, if the REFEDS profile > > information is not available (see screenshot). Sadly unity shows > > that > > no second factor is configured, althought the information was > > released > > by the IdP. Sadly we do not see anything in the logs. > > 1. we have tested something that you described and works as expected. > > 2. to make progress can you please check some details of what is > logged > during such failed authentication, with the following loggers set to > TRACE: > > unity.server.authn.AuthenticationFlowPolicyConfigMVELContextBuilder > unity.server.authn.AuthenticationProcessor > unicore.security.dsig.DigSignatureUtil > unity.server.saml.SamlServletExtractionUtils > > (naturally just for such authN, this will generate a lot of noise in > logs) > > the first one is the most important, will allow us to limit our > searching to one of two big parts of the process. The other are to > check > early SAML side: see the actual SAML response and how it is parsed. > > So in general I'd love to see the response message, and what goes > into > authn flow. > > Also we noticed one thing which is bit surprising on your last > screenshot: ACR is reported as attribute. That is very narrow part of > log, so a lot of guessing on our side, but can you additionally share > whether you have some input profile settings that manipulate ACR? or > maybe the ACR is received as a plain attribute? > > Cheers, > Krzysztof > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellv. Vorsitzende), Prof. Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
