Hi Asela, On Fri, Jul 14, 2017 at 9:34 AM, Asela Pathberiya <[email protected]> wrote:
> > > On Fri, Jul 14, 2017 at 11:31 AM, Harsha Kumara <[email protected]> wrote: > >> Hi All, >> >> This is regarding the behavior of Authentication flow between multiple >> service providers. >> >> I have created two service providers with following configurations. >> >> *SP1* >> >> This service provider has two options which allow to users to login >> either Basic Authentication scheme or Facebook >> >> Configuration >> >> 1 Authentication Step with MultiOption with Basic Auth and Facebook. >> >> >> *SP2* >> >> This service provider has two authentication steps which allow to users >> to login either Basic Authentication scheme or Facebook and second >> authentication step with TOTP. >> >> Configuration >> >> 2 Authentication Steps >> >> - 1 Authentication Step with MultiOption with Basic Auth and Facebook. >> - 2 Authentication Step with TOTP >> >> >> *Behavioral Concern* >> >> I have configured two applications with SP1 and SP2 respectively. Then I >> have logged into the first application with Basic Authentication Scheme >> which is configured in SP1. >> >> But when I going to authentication with my second application which >> configured with SP2, I have logged into it automatically. >> >> Shouldn't it ask for TOTP authentication? Because first application only >> authenticated with Basic Auth but my second application required Basic Auth >> + TOTP. >> > > Yes. It should... Session contains the authenticated SP details..... > Therefore; it can decide based on the SP... If it is not working, it > seems like a bug.. > I don't think it has ever worked like that because we maintain a list of IdPs against which we have authenticated so far for any service provider. We don't consider the step number here. So since basic auth and TOTP both are for LOCAL IdP, IS considers SP2 also authenticated if we authenticate with username/password only for SP1. We were actually trying this as a logical workaround to have step up authentication so when the application decided it needs 2nd factor authentication to send a request using the new service provider ID, but it seems not possible with current version of IS. Regards, Johann. > Thanks, > Asela. > > >> >> Thanks, >> Harsha >> >> -- >> Harsha Kumara >> Software Engineer, WSO2 Inc. >> Mobile: +94775505618 <+94%2077%20550%205618> >> Blog:harshcreationz.blogspot.com >> > > > > -- > Thanks & Regards, > Asela > > ATL > Mobile : +94 777 625 933 <+94%2077%20762%205933> > +358 449 228 979 > > http://soasecurity.org/ > http://xacmlinfo.org/ > -- Thanks & Regards, *Johann Dilantha Nallathamby* Senior Lead Solutions Engineer WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
