Authn Error - IdP v3

Cantor, Scott cantor.2 at
Mon May 9 17:22:24 EDT 2016

> My bad Scott, apologies. I was looking in the wrong place. I didn't realize the
> properties were mutually exclusive.

They're not mutually exclusive, they're overlapping, which is why it's an ugly little feature. It's just a stopgap. But it doesn't make sense to use it with certificates.

> Regarding, X509 as initial authn, I'm just testing a use case where we want to
> use certs for primary authn followed by another factor. That's where I was
> trying to replicate the MCB stuff based on one of the documents in the wiki.

No, that won't do what you want. The initial-authn thing only runs then there's no session and it's just skipped entirely at any other time because the user identify it pulled out of the session.

I can't do much besides acknowledge that combining factors isn't really a feature it provides. It just wasn't a requirement for the first releases. The requirement we had was for *selecting* different factors, not combining them. 3.3 will provide a method to combine them.

But there is documentation on authoring login flows and of course there're the existing flows to copy and adapt.

-- Scott

More information about the users mailing list