Best practice MFA IdP3.3.1

Cantor, Scott cantor.2 at osu.edu
Mon Sep 11 18:45:16 EDT 2017


On 9/11/17, 6:02 PM, "users on behalf of O'Dowd, Josh" <users-bounces at shibboleth.net on behalf of Josh.O'Dowd at mso.umt.edu> wrote:

> Trying to follow...  Will the interceptor run(as a postAuthenticationFlow) regardless of an existing Authn result(SSO session)?

They always run, you decide what they do.

> If yes, I should do the prompting and attribute resolve prep from the interceptor instead of from MFA.

They run after attributes are resolved. You shouldn't conditionally resolve anything, do it all and then just decide what gets released.

-- Scott





More information about the users mailing list