SP requesting MFA login

[Cantor, Scott]

On 9/17/19, 3:20 PM, "users on behalf of Jeffrey Williams" <users-bounces at shibboleth.net on behalf of jfwillia at uncg.edu> wrote:

> David is correct.  Apologies for the lack of detail.  Any user, regardless of their MFA enrollment status, will encounter
> that error when they try to log into an SP that is requesting the MFA profile.  Here is how our flow looks today(largely
>> adapted from our 2.x environment that used this as a reference) 

I think you have the logic backwards.

>                if (mfaCtx.isAcceptable()) {
>                    // Attribute check is required to decide if first factor alone is enough.

This conditional is (abstractly speaking) checking whether the SP is asking for anything beyond a password, but it's only executing your attribute logic if it *isn't*. So the SP asking for MFA is bypassing it.
 
The problem is, there's no magic answer here. You can't make "not an error" happen if a user is not enrolled but the SP asks for MFA. That's going to fail. I thought that was your problem, but I don't know that you appreciate that fact or not. You can make it do "the right thing", but the right thing in that case is still going to be failure.

As long as that's ok, I think you just have to reverse the conditional:  if the result of the isAcceptable method is *false*, then see if you can do Duo to satisfy that. If it's true, you want it to bail out since the SP is happy without Duo and you don't need to bother checking for the enrollment status.

-- Scott