Thread: [Unity-idm-discuss] dynamic expression for MFA is not working

Identity management and federations integration

Brought to you by: golbi, ppiernik

unity-idm-discuss

[Unity-idm-discuss] dynamic expression for MFA is not working

From: Sander A. <sa....@fz...> - 2024-12-05 11:40:22

Attachments: smime.p7s Screenshot From 2024-12-05 12-30-47.png Screenshot From 2024-12-05 12-31-08.png Screenshot From 2024-12-05 12-32-56.png

Hello Krzysztof,
hello Roman,

after our IdP starts releasing MFA usage information, we started to
test the dynamic expression on MFA. We started with a simple condition
that local second factor should only be used, if the REFEDS profile
information is not available (see screenshot). Sadly unity shows that
no second factor is configured, althought the information was released
by the IdP. Sadly we do not see anything in the logs.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] dynamic expression for MFA is not working

From: Krzysztof B. <kb...@un...> - 2024-12-06 12:17:56

W dniu 5.12.2024 o 12:40, Sander Apweiler pisze:
> Hello Krzysztof,
> hello Roman,
>
> after our IdP starts releasing MFA usage information, we started to
> test the dynamic expression on MFA. We started with a simple condition
> that local second factor should only be used, if the REFEDS profile
> information is not available (see screenshot). Sadly unity shows that
> no second factor is configured, althought the information was released
> by the IdP. Sadly we do not see anything in the logs.
>
Hmm, what you pasted looks good. We will recheck whether we can find 
some problem in implementation.


Best,
Krzysztof

Re: [Unity-idm-discuss] dynamic expression for MFA is not working

From: Krzysztof B. <kb...@un...> - 2024-12-09 17:09:32

Hi Sander,

W dniu 5.12.2024 o 12:40, Sander Apweiler pisze:
> Hello Krzysztof,
> hello Roman,
>
> after our IdP starts releasing MFA usage information, we started to
> test the dynamic expression on MFA. We started with a simple condition
> that local second factor should only be used, if the REFEDS profile
> information is not available (see screenshot). Sadly unity shows that
> no second factor is configured, althought the information was released
> by the IdP. Sadly we do not see anything in the logs.

1. we have tested something that you described and works as expected.

2. to make progress can you please check some details of what is logged 
during such failed authentication, with the following loggers set to TRACE:

unity.server.authn.AuthenticationFlowPolicyConfigMVELContextBuilder
unity.server.authn.AuthenticationProcessor
unicore.security.dsig.DigSignatureUtil
unity.server.saml.SamlServletExtractionUtils

(naturally just for such authN, this will generate a lot of noise in logs)

the first one is the most important, will allow us to limit our 
searching to one of two big parts of the process. The other are to check 
early SAML side: see the actual SAML response and how it is parsed.

So in general I'd love to see the response message, and what goes into 
authn flow.

Also we noticed one thing which is bit surprising on your last 
screenshot: ACR is reported as attribute. That is very narrow part of 
log, so a lot of guessing on our side, but can you additionally share 
whether you have some input profile settings that manipulate ACR? or 
maybe the ACR is received as a plain attribute?

Cheers,
Krzysztof

Re: [Unity-idm-discuss] dynamic expression for MFA is not working

From: Sander A. <sa....@fz...> - 2025-01-03 11:00:06

Attachments: smime.p7s

Hi Krzysztof,
sorry for the long delay on my site. End of last year was very busy. I
tried to reproduce the problem today with the additional loggers, but
now it works on unity 4.0.4.

Best regards,
Sander

On Mon, 2024-12-09 at 18:09 +0100, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 5.12.2024 o 12:40, Sander Apweiler pisze:
> > Hello Krzysztof,
> > hello Roman,
> > 
> > after our IdP starts releasing MFA usage information, we started to
> > test the dynamic expression on MFA. We started with a simple
> > condition
> > that local second factor should only be used, if the REFEDS profile
> > information is not available (see screenshot). Sadly unity shows
> > that
> > no second factor is configured, althought the information was
> > released
> > by the IdP. Sadly we do not see anything in the logs.
> 
> 1. we have tested something that you described and works as expected.
> 
> 2. to make progress can you please check some details of what is
> logged 
> during such failed authentication, with the following loggers set to
> TRACE:
> 
> unity.server.authn.AuthenticationFlowPolicyConfigMVELContextBuilder
> unity.server.authn.AuthenticationProcessor
> unicore.security.dsig.DigSignatureUtil
> unity.server.saml.SamlServletExtractionUtils
> 
> (naturally just for such authN, this will generate a lot of noise in
> logs)
> 
> the first one is the most important, will allow us to limit our 
> searching to one of two big parts of the process. The other are to
> check 
> early SAML side: see the actual SAML response and how it is parsed.
> 
> So in general I'd love to see the response message, and what goes
> into 
> authn flow.
> 
> Also we noticed one thing which is bit surprising on your last 
> screenshot: ACR is reported as attribute. That is very narrow part of
> log, so a lot of guessing on our side, but can you additionally share
> whether you have some input profile settings that manipulate ACR? or 
> maybe the ACR is received as a plain attribute?
> 
> Cheers,
> Krzysztof
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellv. Vorsitzende), Prof. Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------