Hi Johan, On Fri, Jul 14, 2017 at 1:56 PM, Johann Nallathamby <joh...@wso2.com> wrote:
> Hi Asela, > > On Fri, Jul 14, 2017 at 9:34 AM, Asela Pathberiya <as...@wso2.com> wrote: > >> >> >> On Fri, Jul 14, 2017 at 11:31 AM, Harsha Kumara <hars...@wso2.com> wrote: >> >>> Hi All, >>> >>> This is regarding the behavior of Authentication flow between multiple >>> service providers. >>> >>> I have created two service providers with following configurations. >>> >>> *SP1* >>> >>> This service provider has two options which allow to users to login >>> either Basic Authentication scheme or Facebook >>> >>> Configuration >>> >>> 1 Authentication Step with MultiOption with Basic Auth and Facebook. >>> >>> >>> *SP2* >>> >>> This service provider has two authentication steps which allow to users >>> to login either Basic Authentication scheme or Facebook and second >>> authentication step with TOTP. >>> >>> Configuration >>> >>> 2 Authentication Steps >>> >>> - 1 Authentication Step with MultiOption with Basic Auth and >>> Facebook. >>> - 2 Authentication Step with TOTP >>> >>> >>> *Behavioral Concern* >>> >>> I have configured two applications with SP1 and SP2 respectively. Then I >>> have logged into the first application with Basic Authentication Scheme >>> which is configured in SP1. >>> >>> But when I going to authentication with my second application which >>> configured with SP2, I have logged into it automatically. >>> >>> Shouldn't it ask for TOTP authentication? Because first application only >>> authenticated with Basic Auth but my second application required Basic Auth >>> + TOTP. >>> >> >> Yes. It should... Session contains the authenticated SP details..... >> Therefore; it can decide based on the SP... If it is not working, it >> seems like a bug.. >> > > I don't think it has ever worked like that because we maintain a list of > IdPs against which we have authenticated so far for any service provider. > We don't consider the step number here. So since basic auth and TOTP both > are for LOCAL IdP, IS considers SP2 also authenticated if we authenticate > with username/password only for SP1. > > We were actually trying this as a logical workaround to have step up > authentication so when the application decided it needs 2nd factor > authentication to send a request using the new service provider ID, but it > seems not possible with current version of IS. > I tested this and got the same behavior. As I remember we have authenticator information as well in the context so we should be able to fix this in future. -Ishara > > Regards, > Johann. > > >> Thanks, >> Asela. >> >> >>> >>> Thanks, >>> Harsha >>> >>> -- >>> Harsha Kumara >>> Software Engineer, WSO2 Inc. >>> Mobile: +94775505618 <+94%2077%20550%205618> >>> Blog:harshcreationz.blogspot.com >>> >> >> >> >> -- >> Thanks & Regards, >> Asela >> >> ATL >> Mobile : +94 777 625 933 <+94%2077%20762%205933> >> +358 449 228 979 >> >> http://soasecurity.org/ >> http://xacmlinfo.org/ >> > > > > -- > Thanks & Regards, > > *Johann Dilantha Nallathamby* > Senior Lead Solutions Engineer > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+94777776950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture