Autumn flow: MFA and Password interoperability

Mak, Steve makst at
Tue Jul 9 11:45:31 EDT 2019

Context: Default relying party SAML2.SSO profile is configured to go through MFA (subflows: Password then Duo) flow. There exists a relying party override for an app that uses the Password flow for MFA-bypass.

Is it possible with out of the box config to have the MFA/Password flow context fulfill the Password flow for the relying party override?

Or if I'm coming from a bad starting point, is there a better way to have someone get to the second factor check of MFA, but not pass it, and be able to authenticate into another app to get help with MFA without having to re-enter their username+password? This is for cases where a user's second factor device isn't accessible, or they need alternatives.

I'm wary of combining this logic into a single MFA flow via the inline-script because I don't want users to be able to bypass Duo by first hitting an app that has an Duo bypass but still completes the MFA flow, which is why I'm setting the override to the out of the box Password flow.

- Steve Mak
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list