Complicating my MFA implementation
cantor.2 at osu.edu
Mon Apr 25 15:29:48 EDT 2016
> You say that intercepts run after login, not during. I understand that, but as it
> is with the MCB setup, the intercept is used to prompt for Duo
> authentication. Isn't that, for all intents and purposes, part of login? Sure, it's
> after the initial authn is satisfied. But from the user's standpoint, it's still part
> of login.
I'm not sure of what you're talking about, but it certainly is not intended that anything like that would be happening in an intercept. I know of a couple of Duo plugins, in addition to mine, and I don't think either runs as an intercept.
It's physically possible to alter the authenticate state at that point, but it is ill-advised and definitely not a supported feature. By then, a lot of important logic has been run that relies on the completed state.
> I just want what's there now to trigger based on attribute values and despite
> requested context.
I don't know what's there "now" but having implemented opt-in via a cookie, it would be conceptually similar to using an attribute to trigger it, and I definitely had to do that inside a custom login flow.
More information about the users