reuse of MFA flow result for SSO
Paul B. Henson
henson at cpp.edu
Wed Mar 21 15:19:14 EDT 2018
> From: Cantor, Scott
> Sent: Tuesday, March 20, 2018 1:23 PM
>
> The rule you posted is in isolation, but assuming I can infer the rest being
For my initial basic testing, that was the entire rule :).
> Only if it asks for that. If it can't, and the IdP doesn't know to do it or can't
> make the determination without knowing the user, then the original result
> will simply be reused as sufficient.
Hmm, but if I override the requested AuthenticationContext for that specific relying party in the config, that is the same as if it had actually asked for it, so an existing password only session would be insufficient and the user would get rerouted through the MFA logic?
> You wouldn't generally check for the ones that don't, just the ones that do.
Tentatively I think the list of services that just don't want to do MFA at all will be much shorter than the ones that will optionally do MFA.
Thanks much for the help, sorry if I'm not picking things up as quick as I should be.
--
Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/
Operating Systems and Network Analyst | henson at cpp.edu
California State Polytechnic University | Pomona CA 91768
More information about the users
mailing list