Using an activation condition with a MFA transition map

Guillaume Rousse guillaume.rousse at
Thu Sep 19 04:02:18 EDT 2019

Le 18/09/2019 à 15:11, Cantor, Scott a écrit :
> On 9/18/19, 8:51 AM, "users on behalf of Guillaume Rousse" <users-bounces at on behalf of guillaume.rousse at> wrote:
>> While the documentation explicitely mentions "Limiting when
>> authentication flows may be used" as a potentiel use case for this
>> feature, I guess it only applies to top-level flow selection, not
>> subflow transition inside MFA flow.
> It applies to objects that happen to support such a property, and the AuthenticationFlowDescriptor objects do, those rules don't. > They're scriptable, so there's nothing that would be gained, any condition can be run from within a script itself.
Indeed. I'll add an example on the MFA configuration page.

Next question: the current implementation of IPRangePredicate compares 
the source address of an HTTP request with a set of network ranges. What 
would be the best way to use the X-Forwarded-For header instead for this 
comparaison, so as to make it usable from behind a reverse-proxy ?

Guillaume Rousse
Pôle SSI

Tel: +33 1 53 94 20 45

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <>

More information about the users mailing list