我已经部署了一个带有 MFA 身份验证流程的 Shibboleth IDP 3.4。第一个流程是传统密码,第二个流程是基于外部身份验证(一个 servlet)的 2FA 流程。
身份验证一次对一个用户按预期工作。但是,当多个用户尝试同时登录时,只有最后一个用户能够登录。所有其他用户在 idp 日志中认证成功后都会产生以下错误:
2019-09-11 11:19:22,006 - ERROR [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:78] - Profile Action SelectSubjectCanonicalizationFlow: No potential flows left to choose from, canonicalization will fail
2019-09-11 11:19:22,008 - INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:138] - Profile Action SelectAuthenticationFlow: Moving incomplete flow authn/MFA to intermediate set
2019-09-11 11:19:22,008 - INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:313] - Profile Action SelectAuthenticationFlow: No potential flows left to choose from, authentication failed
2FA servlet 基本上是以下方法:
String authenticationKey = ExternalAuthentication.startExternalAuthentication(request);
final ProfileRequestContext profileRequestContext = ExternalAuthentication.getProfileRequestContext(authenticationKey, request);
final SubjectCanonicalizationContext c14nContext = profileRequestContext.getSubcontext(SubjectCanonicalizationContext.class);
if (c14nContext != null && c14nContext.getPrincipalName() != null) {
usernameShib = c14nContext.getPrincipalName();
//do 2FA ...
//if successful:
request.setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY,usernameShib);
ExternalAuthentication.finishExternalAuthentication(authenticationKey, request, response);
//if not:
request.setAttribute(ExternalAuthentication.AUTHENTICATION_ERROR_KEY, AuthnEventIds.AUTHN_EXCEPTION);
ExternalAuthentication.finishExternalAuthentication(authenticationKey, request, response);
}
有谁知道为什么并发身份验证失败或可以建议我应该去哪里看?