IDP 3.3 MFA flow -- checking to see if an authn context class ref was requested

Cantor, Scott cantor.2 at osu.edu
Mon Dec 5 18:48:27 EST 2016


On 12/5/16, 5:14 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

>    So, given that, am I stuck checking the list of requested authn contexts as I suspected to begin with?

No. You need to special case "nothing is requested", as one particular scenario to carve out (and I guess not run the second factor). If there's no RequestedPrincipalContext subcontext, then that means nothing was requested, so it's easy to check.

The rest should be handled the way I outlined. If you want to know if the SP requested Duo, you do it by testing whether one or more Duo-implying principal types are acceptable to the SP, rather than whether it requested them. If the SP requests Password alone, they won't be acceptable. If it requested both, they will be.

The isAcceptable() method is like the abstract version of "is it requested?". That handles all the comparison methods, not just exact. The edge case is "nothing requested" because that always returns true, so that's the case where you have an exception.

-- Scott




More information about the users mailing list