MFA flow active result reuse--multiple Duo integrations or multiple Duo flows

Cantor, Scott cantor.2 at osu.edu
Tue Jan 10 13:01:35 EST 2017


> > I don't believe so.
> 
> Ok, I will read the code again.

I reviewed it, and confirmed that like the normal "top level" behavior of the session persistence model, the MFA result manages its internal results in a map keyed by the flow ID and so it does maintain only a single one at a time.

Also, any reuse of an earlier result is managed by the deployer at the moment. That is, if you tell it to run a login flow (i.e. you transition via a rule to authn/Duo or whatever else), the system does not check for "acceptability" before it reuses a result. It probably should, but right now it's left to the caller to check that if it wants to. I will make sure that's in the docs and look into improving that. It's an ease of use thing I just overlooked.

To check one yourself, you could do:

authnContext.isAcceptable(mfaContext.getActiveResults().get(flowID))

> > If you need the results to be active simultaneously, yes.
> 
> That is the rub. I need both to be active simultaneously.

Yes, that's a limitation of the design. It wouldn't be easy to fix in the "top level" of the system, but may be fixable (or I should say extendable) in the MFA layer's management of its results since ultimately it's more up to the rules and merge strategy and such whether it's understandable in the end.

-- Scott



More information about the users mailing list