Step-up MFA
Wessel, Keith
kwessel at illinois.edu
Tue May 14 07:24:45 EDT 2019
That's what I was looking for. Thanks, Scott and Andy. No idea how I missed this item in the upgrade notes for 3.4.
Keith
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Monday, May 13, 2019 5:06 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Step-up MFA
On 5/13/19, 5:51 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
> It's already more complex than I'd like, and I'd welcome suggestions on how to simplify it.
The only way out is to force the flow to run, set reuseCondition to false so it never reuses the root result without running the script.
Covered at length in the MFA topic under "Reuse of the Entire authn/MFA Flow Result (When Is a MFA Next Flow Strategy Executed?)"
There are cleaner ways to do things, but they don't work in the situation you have. When you have a manageable number of SPs opting into MFA like I do, it's cleaner to do it the way I described originally, but you have SPs out there requesting it on their own combined with a huge number to default in, so it gets very ugly because of the need to prevent spoofing requests down to a weaker AuthnContext. The mess of tags and maintenance of systems in the different sets gets too ugly once it ramps up to "everything except a few" and it's easier to require nothing and let the MFA scripting sort it out.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list