Impersonation in IDP

[Hong Ye]

Thank you very much for your offer. An example would be very helpful. Where do I file a request?

Hong

On 8/24/17, 11:57 AM, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:

    > Thanks for the suggestion. In conf/c14n/subject-c14n.xml, it says this flow is
    > used after authentication. I thought I could use this to switch user’s identity. I
    > did some experiment and found this flow was executed after Remote user
    > authentication, but before DUO. Is that the desired behavior? Is it possible to
    > make this flow run after DUO? We currently use MFA flow.
    
    It runs after every individual login method and there are complex implications to doing anything like that, amplified by using Duo or anything like it.
    
    If you really want to try to do it with c14n and fully switch the identity, you would have to do it regardless of the SP(s) involved, and that alone makes it a bad idea in most cases. It would have to be done as part of the MFA flow's own c14n step with a custom c14n flow that was aware enough to only act on the final MFA result. Very tricky to get right and I wouldn't do it that way.
    
    I would add an intercept that only affected an individual transaction (but could be extended in theory to do various things under the covers that could potentially impact future ones). I don't think it would be a huge amount of work to build an example and if you file a request I would be happy to see what's possible in a relatively constrained amount of effort because Cornell is a member. I can't spend a week on it, but a few hours to cook up something with some plug points to control the behavior should be fairly fast.
    
    -- Scott
    
    -- 
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net