make forceAuthn requests completely start over
David Langenberg
davel at uchicago.edu
Sat Aug 1 10:36:42 EDT 2015
On Fri, Jul 31, 2015 at 6:50 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 7/31/15, 8:33 PM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
> >
>
> << SNIP >>
> The question really becomes whether having the Duo flow run the Password
> flow in a black box way is appropriate for the usability result you want to
> get, since the UI of the Password flow obviously isn't meant to have
> anything else in it. But if we address the specific subject of this thread,
> the Duo flow could certainly achieve the result you wanted to get in the
> presence of ForceAuthn by invoking the Password flow itself.
>
> Calling a subflow inside a flow definition is also trivial:
>
> <subflow-state id="CallPasswordFlow" subflow="authn/Password">
> <input name="calledAsSubflow" value="true" />
> <transition on="proceed" to="next" />
> </subflow-state>
>
>
> Lot of options because there are lot of directions one could go.
>
I went this route and added the following to the top of duo flow:
<decision-state id="checkForceAuth">
<if
test="opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.authn.context.AuthenticationContext)).isForceAuthn()"
then="CallPasswordFlow"
else="duo" />
</decision-state>
<subflow-state id="CallPasswordFlow" subflow="authn/Password">
<input name="calledAsSubflow" value="true"/>
<transition on="proceed" to="duo"/>
</subflow-state>
It seems, so far, to be doing exactly what I want.
Thanks for your help
Dave
--
David Langenberg
Identity & Access Management Architect
The University of Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150801/b91e7b6b/attachment.html>
More information about the users
mailing list