Best practice MFA IdP3.3.1

O'Dowd, Josh Josh.O'Dowd at mso.umt.edu
Mon Sep 11 17:41:06 EDT 2017


> It depends whether you need it preserved for subsequent logins I suppose. Kind of has to end up in the Subject in that case, but you'll have to mess around with registering your Principal class for serialization if you need that to work.

This is kind of a tricky situation, for me anyway...  We have users who we can resolve are both employee and student, and we have service(s) where those users will need to choose which account they want to log in to.  Obviously, it would be best for the service to make this determination, but that isn't a reality in these cases.

My concern is how attribute resolve will play out if one of these services comes up where there is an existing SSO session.

Josh


More information about the users mailing list