3.2.x and Earlier Login Switching
Klingenstein, Nate
nklingenstein at calstate.edu
Mon Aug 22 21:15:56 EDT 2016
My firm constraint is IdP version >3.0 and <3.3 running in production in many places. Obviously, there's a lot more that can be done with 3.3.
I need to perform MFA for a specific application with a specific group of users. The IdP must be able to indicate that MFA was used.
I'm willing to make the limiting assumptions:
1) The SP can send a special AuthnContext
2) There is no step-up or step-down authentication
3) Every request for that elevated AuthnContext is effectively ForceAuthn true
Changing code or recompiling classes is not impossible, but it's scary for IdP administrators and our handlers. I gain brownie points if I can do a simple switch on a variable as well, e.g. if wePayThem="sorta".
What is the most elegant way to do that? e.g. wrap part of the Webflow with a decision-state that pulls something out of the login context, or... ?
More information about the users
mailing list