I have an Shibboleth IdP with a custom x509 authenticator that handles smartcard authN via Client Cert authentication over TLS. When there is no cert (after a reasonable number of retries and reminders to the user to stick the card in the reader, please and thank you), it returns an AuthN failed response to the RP, in this case CAS. I chose to have it work this way because I wanted to minimize the UI for the Shibboleth IdP.
I have a workaround for now. It might be a while before I have the bandwidth to figure out a PR to address it. Thanks, Rich On Wed, Dec 5, 2018 at 11:24 AM Jérôme LELEU <lel...@gmail.com> wrote: > Hi, > > Yes, it feels a bit too aggressive to return an IllegalArgumentException, > but I think it makes sense as there is already a check via the > hasDelegationRequestFailed method to know if the authentication has > failed. The check may be incomplete though... > > In fact, it's the responsibility of pac4j to handle cancelled/failed > authentications and in that case, it returns a null credentials (for > delegated authentications), but here, the CAS server takes over. > > In any case, we should certainly avoid throwing an > IllegalArgumentException when pac4j returns a null credentials. > > How do you get the AuthnFailed SAML response? > > Thanks. > Best regards, > Jérôme > > > On Wed, Nov 21, 2018 at 6:18 PM Rich Renomeron <richard.renome...@tcg.com> > wrote: > >> I have a requirement to gracefully handle a failed delegated >> authentication scenario (from multiple providers). A specific example of >> this when a SAML IdP returns an AuthnFailed in the (SAML) response. >> >> Based on my memory with 5.2 and 5.1 overlays, I would expect that, if >> configured correctly, I'd end up on the stopWebflow state when that >> happens. But if I am reading the 5.3.5 code and my logs correctly, it >> seems that the DelegatedClientAuthenticationAction is now just throwing in >> IllegalArgumentException back to the web flow, which results in the generic >> error page. That's not really what I want to show my users, especially >> when I need to give them a way back to the login page to try a different >> authN method and end up at the right service if the other attempt succeeds. >> >> Is there a preferred way to handle an exception like that now? I could >> just mod the generic error page to have a "go back to CAS login" link (like >> the stopWebflow error page does), but that's not ideal. Or I could write >> some custom code to inject a ExceptionHander into the clientAction state >> (which I'm not succeeding with at the moment; I can't get my >> WebflowConfigurer to run after the clientAction state has been created). >> Is there a reason why CAS doesn't seem to use the stopWebflow state to >> handle this any more? >> >> Thanks, >> Rich >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+unsubscr...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMYXOV9jf2bdAzXjpNA6JgxqmKfXpg49NWdFLt705nebUi4qKA%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMYXOV9jf2bdAzXjpNA6JgxqmKfXpg49NWdFLt705nebUi4qKA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwTfrvbBRV5n5vhbXTV%3DZ6Pte8qo6NNiQne1dBSF94F3Q%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwTfrvbBRV5n5vhbXTV%3DZ6Pte8qo6NNiQne1dBSF94F3Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- *Rich Renomeron,* Project Lead *TCG, Inc. - Positively Distinct* - CMMI-DEV Level 3 - CMMI-SVC Level 2 - ISO 9001:2015 +1 (202) 643-8460 | richard.renome...@tcg.com | www.tcg.com <https://www.facebook.com/TCG-32241785903> <https://twitter.com/TCGnews> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMYXOV-5GKgwfa2WyCkaxdtYGzv43uVT3UxPfENKkUBeCHOAMA%40mail.gmail.com.
