Complicating my MFA implementation

Wessel, Keith kwessel at
Mon Apr 25 16:12:25 EDT 2016

The config I'm referring to is in step 8 of this page:

With that in mind, is that a valid use of the intercept? Or is that a bad idea?

And is there any way, if it's not a bad idea, to craft it into what I was talking about with opt-in? If not, I'll look into the custom subflow.


-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Monday, April 25, 2016 2:30 PM
To: Shib Users <users at>
Subject: RE: Complicating my MFA implementation

> You say that intercepts run after login, not during. I understand that, but as it
> is with the MCB setup, the intercept is used to prompt for Duo
> authentication. Isn't that, for all intents and purposes, part of login? Sure, it's
> after the initial authn is satisfied. But from the user's standpoint, it's still part
> of login.

I'm not sure of what you're talking about, but it certainly is not intended that anything like that would be happening in an intercept. I know of a couple of Duo plugins, in addition to mine, and I don't think either runs as an intercept.

It's physically possible to alter the authenticate state at that point, but it is ill-advised and definitely not a supported feature. By then, a lot of important logic has been run that relies on the completed state.
> I just want what's there now to trigger based on attribute values and despite
> requested context.

I don't know what's there "now" but having implemented opt-in via a cookie, it would be conceptually similar to using an attribute to trigger it, and I definitely had to do that inside a custom login flow.
-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list