forceAuthn with DUO
cantor.2 at osu.edu
Thu May 30 08:39:36 EDT 2019
> The initial-authn feature was already removed from the next version. I don't remember whether it honors ForceAuthn.
It does not. The gory details are in IDP-800 but it doesn't honor that setting. The IdP will still force the Password flow to run if it thinks it needs to in response to ForceAuthn, but you're misconfiguring Duo and Password as alternatives, not as a sequence of two steps. So an SP requiring Duo with a pre-existing session and ForceAuthn will just force the Duo flow to run, which is what it's doing. That flow by itself satisfies the request.
More information about the users