Complicating my MFA implementation
kwessel at illinois.edu
Mon Apr 25 16:12:25 EDT 2016
The config I'm referring to is in step 8 of this page:
With that in mind, is that a valid use of the intercept? Or is that a bad idea?
And is there any way, if it's not a bad idea, to craft it into what I was talking about with opt-in? If not, I'll look into the custom subflow.
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Monday, April 25, 2016 2:30 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: Complicating my MFA implementation
> You say that intercepts run after login, not during. I understand that, but as it
> is with the MCB setup, the intercept is used to prompt for Duo
> authentication. Isn't that, for all intents and purposes, part of login? Sure, it's
> after the initial authn is satisfied. But from the user's standpoint, it's still part
> of login.
I'm not sure of what you're talking about, but it certainly is not intended that anything like that would be happening in an intercept. I know of a couple of Duo plugins, in addition to mine, and I don't think either runs as an intercept.
It's physically possible to alter the authenticate state at that point, but it is ill-advised and definitely not a supported feature. By then, a lot of important logic has been run that relies on the completed state.
> I just want what's there now to trigger based on attribute values and despite
> requested context.
I don't know what's there "now" but having implemented opt-in via a cookie, it would be conceptually similar to using an attribute to trigger it, and I definitely had to do that inside a custom login flow.
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users