Authn Error - IdP v3
Cantor, Scott
cantor.2 at osu.edu
Mon May 9 17:22:24 EDT 2016
> My bad Scott, apologies. I was looking in the wrong place. I didn't realize the
> properties were mutually exclusive.
They're not mutually exclusive, they're overlapping, which is why it's an ugly little feature. It's just a stopgap. But it doesn't make sense to use it with certificates.
> Regarding, X509 as initial authn, I'm just testing a use case where we want to
> use certs for primary authn followed by another factor. That's where I was
> trying to replicate the MCB stuff based on one of the documents in the wiki.
No, that won't do what you want. The initial-authn thing only runs then there's no session and it's just skipped entirely at any other time because the user identify it pulled out of the session.
I can't do much besides acknowledge that combining factors isn't really a feature it provides. It just wasn't a requirement for the first releases. The requirement we had was for *selecting* different factors, not combining them. 3.3 will provide a method to combine them.
But there is documentation on authoring login flows and of course there're the existing flows to copy and adapt.
-- Scott
More information about the users
mailing list