MCB with Duo and password as fallback

Paul Hethmon paul.hethmon at clareitysecurity.com
Wed Aug 20 21:45:37 EDT 2014


On Aug 20, 2014, at 9:21 PM, Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:

Yes, but my point is that SAML requires that the IdP try and honor the
requested contexts in the order they're listed. It doesn't qualify that
requirement with "unless a later one can be met without actually
prompting". It's not irrational to take that view, because users are
obviously happier, but it's not actually something the standard would
justify, and SPs routinely get confused when this happens, so it's clearly
not what they want.

It does honor the order given by the SP.

In other words, the strict approach is to say, if the SP requests X, and
if X is possible to attempt, you attempt X, even if the user already
completed Y and Y is the second one in the request. Replace X with Duo and
Y with password in this case.

So how the MCB would handle this would be up to the configuration. Assuming the two contexts are handled by different methods then X will be presented first as requested. However, if the second SP request were for method Y and Y is not satisfied by X, then the MCB would require the user to satisfy Y instead of using previous session.

If X and Y used the same method, then the second SP request would be granted as a previous session no matter which context was requested, since the user has already satisfied the method that covers both contexts.

I don't feel I'm adequately explaining what it can do here.

Paul Hethmon
Chief Software Architect
paul.hethmon at clareitysecurity.com<mailto:paul.hethmon at clareitysecurity.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140821/fef79479/attachment.html 


More information about the users mailing list