make forceAuthn requests completely start over
cantor.2 at osu.edu
Sat Aug 1 11:30:49 EDT 2015
On 8/1/15, 10:36 AM, "users on behalf of David Langenberg" <users-bounces at shibboleth.net on behalf of davel at uchicago.edu> wrote:
>It seems, so far, to be doing exactly what I want.
That's good news.
The one thing to bear in mind is that presumably the Duo flow is then overwriting the AuthenticationResult of the Password flow with its own result, which may be ok, but really depends on what's supposed to be in the Java Subject at the end for this kind of composite method.
The Password flow will populate the Subject with various things depending on how the password validation is done, so there would be situations potentially where one might be depending on that content (e.g. Kerberos ticket, LDAP result).
The other thing I was going to mention is that I don't know if it's really all that well-defined what ForceAuthn should mean here to begin with. One could argue that invoking the Duo flow alone is "enough" to satisfy ForceAuthn. That seems like one of those community-established norms that probably doesn't exist right now.
More information about the users