MFA flow: which authns are reused

Jim Fox fox at washington.edu
Mon Dec 5 16:15:59 EST 2016


We use only an MFA flow.  It first runs a Password flow (actually a 
strategy-ref to see if this request gets Password or RemoteUser, then Password). Then it 
runs a strategy-ref to see if this user needs 2nd factor.  2nd factor is triggered 
by either the SP requesting 'TimeSyncToken' or by the user opting into 2nd factor for all logins.

If I go through this flow with just one factor, and then do that again the second hit 
logs "No specific Principals requested" and "Reusing active result authn/MFA".  Good.

If I then hit this flow with a 'token' request it doesn't do the reuse. 
Instead it logs "Selecting inactive authentication flow authn/MFA" due the the principal match. 
That's what I want, but what caused it to not reuse the active result?

Then, inside the MFA (when token was requested) the first step, Password, logged 
"Reusing active result for 'authn/Password' flow", which is also what I wanted.
So it seems like the reuse of flow results is a bit complicated.  Where can I learn the details of this?

Secondly, when the active result is used for authn/Password the script call
input.getSubcontext("net.shibboleth.idp.authn.context.SubjectCanonicalizationContext")
return a null.

How can I get the username in that case?

Thanks,

Jim






More information about the users mailing list