Can an intercept trigger a re-resolution of attributes?

Cantor, Scott cantor.2 at osu.edu
Mon Aug 1 16:21:38 EDT 2016


> The idea was that the user would click "Continue", and if they had
> changed their password, they would end up being "logged in" and sent
> along to the SP.  If they had not, they would stay on the expired
> password view until the LDAP attribute changed.

Yes, it's kind of a middle-ground. It's fine to do it in either place, it's just that the attribute does need to get re-checked if you want it to be a strong guarantee.

> An Action bean is probably sufficient for what we want to do - I can
> invoke it prior to looping back to the start of the flow, and presumably
> it will check the newly resolved attribute.

Caching aside, yes.

> The "pre-resolution" I meant is probably your "normal"  resolution here
> (I meant the one that happens "during"/immediately after authN, as
> opposed to the ResolveAttributes action in e.g. the SAML2 profile flow).

The one in the profile flow is the "normal" one. That runs before the interceptors.

The one I said was fairly badly done is the one prior to authentication if there's a session already, and that one is rendered moot by the MFA features since you can just script all this cleanly and easily.

-- Scott



More information about the users mailing list