reuse of MFA flow result for SSO

Paul B. Henson henson at
Wed Mar 21 15:19:14 EDT 2018

> From: Cantor, Scott
> Sent: Tuesday, March 20, 2018 1:23 PM
> The rule you posted is in isolation, but assuming I can infer the rest being

For my initial basic testing, that was the entire rule :).
> Only if it asks for that. If it can't, and the IdP doesn't know to do it or can't
> make the determination without knowing the user, then the original result
> will simply be reused as sufficient.

Hmm, but if I override the requested AuthenticationContext for that specific relying party in the config, that is the same as if it had actually asked for it, so an existing password only session would be insufficient and the user would get rerouted through the MFA logic?

> You wouldn't generally check for the ones that don't, just the ones that do.

Tentatively I think the list of services that just don't want to do MFA at all will be much shorter than the ones that will optionally do MFA.

Thanks much for the help, sorry if I'm not picking things up as quick as I should be.

Paul B. Henson  |  (909) 979-6361  |
Operating Systems and Network Analyst  |  henson at
California State Polytechnic University  |  Pomona CA 91768

More information about the users mailing list