SP requesting MFA login

Cantor, Scott cantor.2 at osu.edu
Tue Sep 17 13:22:18 EDT 2019

On 9/17/19, 12:59 PM, "users on behalf of Jeffrey Williams" <users-bounces at shibboleth.net on behalf of jfwillia at uncg.edu> wrote:

> We're currently running 3.3.3 using the native Duo plugin and the IDP has only one flow. It's scripted to check to see if
> the user is enrolled in MFA before presenting authn/Duo.  

Then the result is correct. It presumably checked, they weren't enrolled, so it didn't do MFA, and the result did not satisfy the request.

> However, it seems that the IdP's authentication flow short-circuits after 1FA and sends an error back to the SP saying:

You short-circuited it yourself, that's what "check to see if user is enrolled" would imply it's told to do.

> I checked through the docs and didn't find anything that seemed to answer the question.  Is there a way to maintain
> the single authentication flow and have it only authenticate MFA users for this SP?

It seems like that's what it did. It refused to authenticate the non-MFA user(s).

-- Scott

More information about the users mailing list