Using an activation condition with a MFA transition map

Guillaume Rousse guillaume.rousse at
Wed Sep 18 08:50:47 EDT 2019

While trying to figure out how to script a network-based condition for 
MFA flow selection, I found the Activation Condition documentation:

I couldn't succeed using the Client Address Ranges example with MFA 
transition map, tough.

This doesn't work:
<bean id="MyCondition"
   p:ranges="#{ '', '' }" />

<entry key="authn/Flow1">
     p:activationCondition-ref="MyCondition" />
-> invalid property error

And this doesn't either:
<entry key="authn/Flow1">
     p:nextFlowStrategy-ref="MyCondition" />
-> invalid type error.

While the documentation explicitely mentions "Limiting when 
authentication flows may be used" as a potentiel use case for this 
feature, I guess it only applies to top-level flow selection, not 
subflow transition inside MFA flow.

Did I miss something here ?

Guillaume Rousse
Pôle SSI

Tel: +33 1 53 94 20 45

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <>

More information about the users mailing list