Autumn flow: MFA and Password interoperability

Fri Jul 12 12:16:36 EDT 2019
This page has some info on how to re-use the MFA flows

If you actually need to pull out the values, can you try this : getAuthenticationFlowDescriptor().getId()?

Not sure which subtree it would come under (or how to retrieve it's subcontext) but the class name is : net.shibboleth.idp.authn.impl. FinalizeMultiFactorAuthentication
It's in the jar file: idp-authn-impl-3.3.1.jar

It's also configured in the system beans in the file: shibboleth-idp/system/flows/authn/mfa-authn-beans.xml

    <bean id="FinalizeMultiFactorAuthentication" scope="prototype"
        p:resultMergingStrategy="#{getObject('shibboleth.authn.MFA.resultMergingStrategy')}" <-- This would be what we're interested in.
        p:resultCachingPredicate="#{getObject('shibboleth.authn.MFA.resultCachingPredicate')}" />

-----Original Message-----
From: users <users-bounces at> On Behalf Of Mak, Steve
Sent: Friday, July 12, 2019 11:30 AM
To: Shib Users <users at>
Subject: Re: Autumn flow: MFA and Password interoperability

So I've converted everything to MFA flow and built a bypass in the checkSecondFactor script and set reuseCondition="false" on authn/MFA.

If I need to run some code block ONLY if the Duo flow was previously NOT run, how would I do that?

I've tried comparing authContext.getActiveResults().get('authn/MFA') with authContext.getAuthenticationResult() and authContext.getInitialAuthenticationResult(),

But none of that seems to work.

2019-07-12 10:15:00,266 - INFO [authn/MFA-checkSecondFactor:12] - Authentication result: null
2019-07-12 10:15:00,266 - INFO [authn/MFA-checkSecondFactor:15] - Previous authn/MFA results: AuthenticationResult{authenticationFlowId=authn/MFA, authenticatedPrincipal=blahblah, authenticationInstant=2019-07-12T10:14:52.314-04:00, lastActivityInstant=2019-07-12T10:14:52.314-04:00, previousResult=true}

And this is after I logged into a duo app, killed the SP shib_session cookie, and did a full SAML flow again.

- Steve Mak

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list