MFA flow: which authns are reused

Cantor, Scott cantor.2 at osu.edu
Mon Dec 5 16:33:17 EST 2016


> If I then hit this flow with a 'token' request it doesn't do the reuse.
> Instead it logs "Selecting inactive authentication flow authn/MFA" due the
> the principal match.
> That's what I want, but what caused it to not reuse the active result?

The final result you build in the MFA flow ends up looking like any other result used to look, it has the Subject and the Principal collection, and it gets evaluated on subsequent requests like any other top level result. By default it's a merge of all the Principals collated together from all the individual results the MFA flow puts together. If you do first factor alone, the result won't include the supportedPrincipals from the token flow, so it won't get reused in that case because it doesn't satisfy the request.

It's designed to look and be configured like you would do it before 3.3, with each factor in its own flow descriptor bean with its own supportedPrincipals collection to set up the behavior.

> So it seems like the reuse of flow results is a bit complicated.  Where can I
> learn the details of this?

I tried to capture some of this in the MFA docs, there's a section on Running Login Flows and Reusing Results. It doesn't get that much into the code design, but I think it explains how it works. It's a recursive "engine" selecting methods and evaluating SSO like the top level IdP engine. I strongly considered making it a drop-in replacement there, but configuring that wasn't something I had it set up to handle, so making it a sort of embedded version ended up being the simpler path for now.

In terms of the code, it's pretty much all in one core action/class if you want a pointer to it.

> Secondly, when the active result is used for authn/Password the script call
> input.getSubcontext("net.shibboleth.idp.authn.context.SubjectCanonicalizationContext")
> return a null.
> 
> How can I get the username in that case?

The Duo flow (and probably anything in the future) uses a strategy function to get the username, net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy

The backup location is the name associated with the active session.

-- Scott



More information about the users mailing list