cantor.2 at osu.edu
Mon May 13 18:06:06 EDT 2019
On 5/13/19, 5:51 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
> It's already more complex than I'd like, and I'd welcome suggestions on how to simplify it.
The only way out is to force the flow to run, set reuseCondition to false so it never reuses the root result without running the script.
Covered at length in the MFA topic under "Reuse of the Entire authn/MFA Flow Result (When Is a MFA Next Flow Strategy Executed?)"
There are cleaner ways to do things, but they don't work in the situation you have. When you have a manageable number of SPs opting into MFA like I do, it's cleaner to do it the way I described originally, but you have SPs out there requesting it on their own combined with a huge number to default in, so it gets very ugly because of the need to prevent spoofing requests down to a weaker AuthnContext. The mess of tags and maintenance of systems in the different sets gets too ugly once it ramps up to "everything except a few" and it's easier to require nothing and let the MFA scripting sort it out.
More information about the users