more mfa scripting logic

Cantor, Scott cantor.2 at
Mon Feb 5 16:37:07 EST 2018

> The part I don't get from your example (and it's definitely my lack
> understanding) ... where is that you are forcing DUO for those Banner/Cas
> services?

The appropriate way to do this for a group of services is to define a RelyingPartyOverride and then configure the relevant profile bean(s) to carry a defaultAuthenticationMethods property referencing the right custom Principal string. The wiki has examples of that and the relevant caveats.

MFA logic shouldn't do anything it doesn't have to. If the rule is "MFA always for all users of X services", don't do it with the MFA scripting, use the relying party configuration and leave the MFA logic as "do first factor, then if isAcceptable(), done, else do second factor". The relying party setting will cause isAcceptable() to be false and cause the second factor to be run.

The MFA trickery is for when the rule is "MFA sometimes under some conditions for some services and other conditions for other services and..."

-- Scott

More information about the users mailing list