authentication flows per profile?
Cantor, Scott
cantor.2 at osu.edu
Thu Aug 27 20:50:03 EDT 2015
On 8/27/15, 5:54 PM, "users on behalf of David Langenberg" <users-bounces at shibboleth.net on behalf of davel at uchicago.edu> wrote:
>Is there a way in v3 to separate authentication handling on a profile basis?
You can set one or both of these properties on any profile that involves a login:
defaultAuthenticationMethods (List<Principal>)
authenticationFlows (Set<String>)
>For the browser-based flows, we have things working (aside from IDP-800) pretty well. Unfortunately, it seems that the way we've wired up Duo into our setup means that users who have elected to force Duo (which doesn't support non-browser at the moment) can't login using ECP. The IdP in this case sends the SP a SAML error saying authentication failed. What I'd like to do is wire things up such that if the request is via ECP then none of the initial authn/attribute-resolution/Duo flow selection stuff fires & instead the IdP just does a straight username/password & moves on.
I don't think initial authentication can be turned off that way, I think it's on or off.
-- Scott
More information about the users
mailing list