Autumn flow: MFA and Password interoperability
cantor.2 at osu.edu
Tue Jul 9 11:54:21 EDT 2019
> Is it possible with out of the box config to have the MFA/Password flow context
> fulfill the Password flow for the relying party override?
It would. The principals in the MFA result will be a union of Password and Duo's configured set, and so it would work fine to satisfy an app that is configured to request or require just a PasswordProtectedContext principal/context class.
I think you probably handled the non-MFA case incorrectly in the configuration and aren't instructing the system what to do with the right level of abstraction. As long as its defaultAuthenticationMethods property is overridden to indicate that it only needs PasswordProtectedContext or whatever, it should work fine as an exception case and the isAcceptable() check that the shipped examples use as a control test in the MFA flow will work correctly.
More information about the users