Complicating my MFA implementation

Cantor, Scott cantor.2 at
Mon Apr 25 17:01:33 EDT 2016

> The config I'm referring to is in step 8 of this page:
> 07829

I don't know exactly what it's doing, but I don't believe it's *performing authentication*, which is what I was talking about not doing.

The context-check example is just a way to decide whether to continue or stop processing at that point in the process. Anything you want to check within that "framework" is ok, but it shouldn't have any side effects.

(What I have noticed is that it's referencing a class in a net.shibboleth package that we don't provide. That really needs to be corrected, because hijacking somebody else's package naming is a really big no-no.)

> And is there any way, if it's not a bad idea, to craft it into what I was talking
> about with opt-in? If not, I'll look into the custom subflow.

What you seemed to be asking about was how to *trigger* Duo. You can't do that after the authentication process is over, and it's over by the time that runs. That's all I was saying.

If that isn't what you were asking about, then I misunderstood.

I will say this: once you have a properly constructed flow handling both factors correctly, you should not need any extra intercept checking. The IdP already handles AuthnContext matching correctly, and you do not need or want to fool it or create any weird exceptions or anything like that. It just does its thing and you just need to make sure the flow(s) produce a Subject with the right content.

-- Scott

More information about the users mailing list