make forceAuthn requests completely start over

David Langenberg davel at
Sat Aug 1 10:36:42 EDT 2015

On Fri, Jul 31, 2015 at 6:50 PM, Cantor, Scott <cantor.2 at> wrote:

> On 7/31/15, 8:33 PM, "Cantor, Scott" <cantor.2 at> wrote:
> >
> << SNIP >>

> The question really becomes whether having the Duo flow run the Password
> flow in a black box way is appropriate for the usability result you want to
> get, since the UI of the Password flow obviously isn't meant to have
> anything else in it. But if we address the specific subject of this thread,
> the Duo flow could certainly achieve the result you wanted to get in the
> presence of ForceAuthn by invoking the Password flow itself.
> Calling a subflow inside a flow definition is also trivial:
> <subflow-state id="CallPasswordFlow" subflow="authn/Password">
>         <input name="calledAsSubflow" value="true" />
>         <transition on="proceed" to="next" />
> </subflow-state>
> Lot of options because there are lot of directions one could go.

I went this route and added the following to the top of duo flow:

    <decision-state id="checkForceAuth">
            else="duo" />

    <subflow-state id="CallPasswordFlow" subflow="authn/Password">
        <input name="calledAsSubflow" value="true"/>
        <transition on="proceed" to="duo"/>

It seems, so far, to be doing exactly what I want.

Thanks for your help


David Langenberg
Identity & Access Management Architect
The University of Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list