SP requesting MFA login
Cantor, Scott
cantor.2 at osu.edu
Tue Sep 17 13:22:18 EDT 2019
On 9/17/19, 12:59 PM, "users on behalf of Jeffrey Williams" <users-bounces at shibboleth.net on behalf of jfwillia at uncg.edu> wrote:
> We're currently running 3.3.3 using the native Duo plugin and the IDP has only one flow. It's scripted to check to see if
> the user is enrolled in MFA before presenting authn/Duo.
Then the result is correct. It presumably checked, they weren't enrolled, so it didn't do MFA, and the result did not satisfy the request.
> However, it seems that the IdP's authentication flow short-circuits after 1FA and sends an error back to the SP saying:
You short-circuited it yourself, that's what "check to see if user is enrolled" would imply it's told to do.
> I checked through the docs and didn't find anything that seemed to answer the question. Is there a way to maintain
> the single authentication flow and have it only authenticate MFA users for this SP?
It seems like that's what it did. It refused to authenticate the non-MFA user(s).
-- Scott
More information about the users
mailing list