MFA flow active result reuse--multiple Duo integrations or multiple Duo flows

Scott Koranda skoranda at gmail.com
Mon Jan 9 18:44:05 EST 2017


Hi,

I am using IdP version 3.3.0.

It appears that the MFA flow determines reuse of an active
result only by the name or flowId of the flow and does not
consider the principal that was attached to that active
result.

When there are multiple Duo integrations with distinct
principal sets this effectively treats all of those principal
sets as equivalent since the MFA flow will reuse any active Duo
result if during the evaluation of the transition strategy it
is signaled to use 'authn/Duo'.

Is that correct?

If so, then if I want two distinct Duo integrations to really
be completely distinct (as if one were Duo and one were some
other method like X.509 certificate) I need to define two
distinct flows, say authn/Duo and authn/DuoOther, and manage
them in the MFA transition strategy.

Is that correct?

Thanks,

Scott K


More information about the users mailing list