Logic for mfa-authn-config.xml
Peter Schober
peter.schober at univie.ac.at
Fri Jan 12 06:13:23 EST 2018
* Paul B. Henson <henson at cpp.edu> [2018-01-12 03:42]:
> Not really :). Per intended security policy there is a third
> possible state: an application which will require MFA for user
> accounts which are enrolled in duo and can do it, but succeed
> without it for user accounts which are not enrolled in duo and
> aren't capable of MFA...
1. SP doesn't require anything special
1.1. subject has no MFA on record: don't force MFA, use SSO/etc.
1.2. subject has MFA on record: let's use it
2. SP does require MFA
2.1. subject has no MFA on record: fail
2.2. subject has MFA on record: use it.
AFAIU your open question is all about variant 1.2 (and variants 1.1
and all variants for 2 are trivial), right?
The way I see it you can either always enforce MFA for those that have
it available for /all/ SPs (only requires attribute lookup) *or* you'd
need to implement something that enumerates the SPs for which this
behaviour is desired (with the IDP treating all other SPs like in
1.1.).
Possibly giving an entity attribute to such SPs, and making the
enforcement of MFA dependent on both the has-MFA-available attribute
lookup as well as the
force-MFA-for-this-SP-if-subject-has-MFA-available entity attribute.
-peter
More information about the users
mailing list