reuse of MFA flow result for SSO

[Paul B. Henson]

So we are still toddling along with our duo pilot, and it seems that MFA and SSO don't quite play together the way I thought they would.

One of our possible policies we are considering is going to be that some applications strictly require MFA, some will use it if available, and others just don't need it. My assumption was that if a user accessed a service that didn't need it and was not prompted for Duo MFA, just a password, and later accessed a service that strictly needed it, they would get routed to the MFA flow and add duo success to the existing password state in their SSO context. However, it seems that what does happen is if they have successfully gone through the MFA flow at all, even if just asked for a password, they do SSO on all following requests regardless of the authentication context a given SP requests, so they get sent to that SP and told to go away by it because they didn't do MFA.

Looking at the documentation https://wiki.shibboleth.net/confluence/display/IDP30/MultiFactorAuthnConfiguration entitled "Reuse of the Entire authn/MFA Flow Result" which seems to discuss what I'm talking about, and while I haven't tested it it sounds like if I changed the idp.authn.favorSSO property and added a defaultAuthenticationMethods for the SP that demands MFA, it would do what I want?

However, that seems a bit complicated and manually intensive to have to maintain a local list of "MFA required" SPs rather than simply relying on them to request the authentication context they actually want. Is there some way to do this relying upon the requested authentication context for the tag rather than an explicit entity-category or list of SPs?

Or some other way completely to achieve the functionality I'm looking for?

Thanks much...

--
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  henson at cpp.edu
California State Polytechnic University  |  Pomona CA 91768