SP requesting MFA login

IAM David Bantz dabantz at alaska.edu
Tue Sep 17 13:39:15 EDT 2019

That's what I thought until I read the line:
> This is regardless of MFA enrollment.

So he's claiming short-circuit even for those enrolled for MFA
[and presumably successfully using with (all) other SPs)]


On Tue, Sep 17, 2019 at 9:22 AM Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 9/17/19, 12:59 PM, "users on behalf of Jeffrey Williams" <
> users-bounces at shibboleth.net on behalf of jfwillia at uncg.edu> wrote:
> > We're currently running 3.3.3 using the native Duo plugin and the IDP
> has only one flow. It's scripted to check to see if
> > the user is enrolled in MFA before presenting authn/Duo.
> Then the result is correct. It presumably checked, they weren't enrolled,
> so it didn't do MFA, and the result did not satisfy the request.
> > However, it seems that the IdP's authentication flow short-circuits
> after 1FA and sends an error back to the SP saying:
> You short-circuited it yourself, that's what "check to see if user is
> enrolled" would imply it's told to do.
> > I checked through the docs and didn't find anything that seemed to
> answer the question.  Is there a way to maintain
> > the single authentication flow and have it only authenticate MFA users
> for this SP?
> It seems like that's what it did. It refused to authenticate the non-MFA
> user(s).
> -- Scott
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190917/3d6ff690/attachment.html>

More information about the users mailing list