MCB SSO not requiring greater authentication methods

Ho, PeiQuan PeiQuan.Ho at tufts.edu
Fri Apr 10 11:43:27 EDT 2015 

I think what you're saying is what we're seeing.  The first login to SP1, we see the attributes being resolved and their values.  But the next login the SP2, we don't see the attributes again being resolved.  However, the odd thing is, in the IDP logs, we do see the scripted portion returning a different attributeResolverID value, or at least processing the logger.debug messages in that scripted attribute.

Thanks,
-PQ

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Paul Hethmon
Sent: Friday, April 10, 2015 11:37 AM
To: Shibboleth Users
Subject: Re: MCB SSO not requiring greater authentication methods

I don’t think it will work.

When MCB handles previous session (which it should), the context value it has available to determine what to do is from the last successful authentication. So if the previous allowed value matches what the user has used, then previous session handling takes place and there is never another call to the attribute resolver.

Paul


> On Apr 10, 2015, at 10:11 AM, Ho, PeiQuan <PeiQuan.Ho at tufts.edu> wrote:
> 
> This is what I'm currently doing.   I'm using a scripted attribute resolver call "authContext" that is determine by checking the value of the SP ID and another value for the user.  This value is then passed to the MCB as its attributeResolverID which I thought would then set the MCB authnContext to the one specified by the authContext generated value.  Currently, this does work.  It just doesn't work when doing SSO... such as when I first go to an SP that the MCB determines to only require password, then go to a second SP that the MCB determines requires two-factor, the second SP does not force the two-factor step.  Is this do-able with Shib and MCB?  We're currently using shib IDP 2.4.1.
> 

-----
Paul Hethmon
Chief Software Architect
paul.hethmon at clareitysecurity.com


-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list