make forceAuthn requests completely start over

David Langenberg davel at uchicago.edu
Sat Aug 1 11:44:50 EDT 2015 

On Sat, Aug 1, 2015 at 9:30 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 8/1/15, 10:36 AM, "users on behalf of David Langenberg" <
> users-bounces at shibboleth.net on behalf of davel at uchicago.edu> wrote:
>
> >It seems, so far, to be doing exactly what I want.
>
> That's good news.
>
> The one thing to bear in mind is that presumably the Duo flow is then
> overwriting the AuthenticationResult of the Password flow with its own
> result, which may be ok, but really depends on what's supposed to be in the
> Java Subject at the end for this kind of composite method.
>

For us, it doesn't matter what's a the end as far as Subject goes.  From
what I've seen everybody comes out the other end on our impl (password/Duo)
pretty much identified the same way with their netID as the principal.


>
> The Password flow will populate the Subject with various things depending
> on how the password validation is done, so there would be situations
> potentially where one might be depending on that content (e.g. Kerberos
> ticket, LDAP result).
>
> The other thing I was going to mention is that I don't know if it's really
> all that well-defined what ForceAuthn should mean here to begin with. One
> could argue that invoking the Duo flow alone is "enough" to satisfy
> ForceAuthn. That seems like one of those community-established norms that
> probably doesn't exist right now.
>

Yes, what forceAuthn means probably needs some fleshing out.  Locally here,
what folks assume it means can be best described as "poor man's logout".
When I saw the default behavior, it made sense that only Duo would fire as,
well, we know who you are already and we know Duo is what you are only
allowed to do, so, we forced you to re-do Duo.  However, we also allow
users to check a little box in Duo that says "remember my authN for 30
days" which had the effect of turning the forceAuthn request into (from a
user POV) an SSO operation.  I imagine we could turn forceAuthn back into
what it should mean once the IdP's logout support improves.

Dave

-- 
David Langenberg
Identity & Access Management Architect
The University of Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150801/ac5b9024/attachment.html>

More information about the users mailing list