Step-up MFA

[Aterea Brown]

Thanks for clearing that up Scott, would you be able to provide an example of the setup you describe?



--
Aterea Brown, AUT University
Cybersecurity, ICT
Email: atbrown at aut.ac.nz Phone: 9219999 x 6523
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Tuesday, 14 May 2019 10:06 AM
To: Shib Users
Subject: Re: Step-up MFA

On 5/13/19, 5:51 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

> It's already more complex than I'd like, and I'd welcome suggestions on how to simplify it.

The only way out is to force the flow to run, set reuseCondition to false so it never reuses the root result without running the script.

Covered at length in the MFA topic under "Reuse of the Entire authn/MFA Flow Result (When Is a MFA Next Flow Strategy Executed?)"

There are cleaner ways to do things, but they don't work in the situation you have. When you have a manageable number of SPs opting into MFA like I do, it's cleaner to do it the way I described originally, but you have SPs out there requesting it on their own combined with a huge number to default in, so it gets very ugly because of the need to prevent spoofing requests down to a weaker AuthnContext. The mess of tags and maintenance of systems in the different sets gets too ugly once it ramps up to "everything except a few" and it's easier to require nothing and let the MFA scripting sort it out.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190513/992a98f4/attachment.html>