Failure when using MFA with SP requiring exact match on PasswordProtectedTransport

Cantor, Scott cantor.2 at
Fri May 5 16:30:00 EDT 2017

On 5/5/17, 1:18 PM, "users on behalf of Leite, Zailo S." <users-bounces at on behalf of zleite at> wrote:

> What am I doing wrong?

Nothing necessarily, but normal use of the MFA flow with RemoteUser and Duo as the constituent parts should be scripted such that RemoteUser runs and then Duo runs, and if you do that, then the "merged" result of a Duo execution will be a Subject that carries both the Duo and RemoteUser supportedPrincipal sets. That would not result in the error you're getting. So you're doing something wrong, perhaps, but it isn't in any of the basic configuration, probably more in what your MFA rules are doing.

-- Scott

More information about the users mailing list