Complicating my MFA implementation

Cantor, Scott cantor.2 at
Mon Apr 25 15:29:48 EDT 2016

> You say that intercepts run after login, not during. I understand that, but as it
> is with the MCB setup, the intercept is used to prompt for Duo
> authentication. Isn't that, for all intents and purposes, part of login? Sure, it's
> after the initial authn is satisfied. But from the user's standpoint, it's still part
> of login.

I'm not sure of what you're talking about, but it certainly is not intended that anything like that would be happening in an intercept. I know of a couple of Duo plugins, in addition to mine, and I don't think either runs as an intercept.

It's physically possible to alter the authenticate state at that point, but it is ill-advised and definitely not a supported feature. By then, a lot of important logic has been run that relies on the completed state.
> I just want what's there now to trigger based on attribute values and despite
> requested context.

I don't know what's there "now" but having implemented opt-in via a cookie, it would be conceptually similar to using an attribute to trigger it, and I definitely had to do that inside a custom login flow.
-- Scott

More information about the users mailing list