authentication flows per profile?

Cantor, Scott cantor.2 at
Thu Aug 27 20:50:03 EDT 2015

On 8/27/15, 5:54 PM, "users on behalf of David Langenberg" <users-bounces at on behalf of davel at> wrote:

>Is there a way in v3 to separate authentication handling on a profile basis?

You can set one or both of these properties on any profile that involves a login:

defaultAuthenticationMethods (List<Principal>)
authenticationFlows (Set<String>)

>For the browser-based flows, we have things working (aside from IDP-800) pretty well.  Unfortunately, it seems that the way we've wired up Duo into our setup means that users who have elected to force Duo (which doesn't support non-browser at the moment) can't login using ECP.  The IdP in this case sends the SP a SAML error saying authentication failed.  What I'd like to do is wire things up such that if the request is via ECP then none of the initial authn/attribute-resolution/Duo flow selection stuff fires & instead the IdP just does a straight username/password & moves on.

I don't think initial authentication can be turned off that way, I think it's on or off.

-- Scott

More information about the users mailing list