Using an activation condition with a MFA transition map
Guillaume Rousse
guillaume.rousse at renater.fr
Thu Sep 19 04:02:18 EDT 2019
Le 18/09/2019 à 15:11, Cantor, Scott a écrit :
> On 9/18/19, 8:51 AM, "users on behalf of Guillaume Rousse" <users-bounces at shibboleth.net on behalf of guillaume.rousse at renater.fr> wrote:
>
>> While the documentation explicitely mentions "Limiting when
>> authentication flows may be used" as a potentiel use case for this
>> feature, I guess it only applies to top-level flow selection, not
>> subflow transition inside MFA flow.
>
> It applies to objects that happen to support such a property, and the AuthenticationFlowDescriptor objects do, those rules don't. > They're scriptable, so there's nothing that would be gained, any condition can be run from within a script itself.
Indeed. I'll add an example on the MFA configuration page.
Next question: the current implementation of IPRangePredicate compares
the source address of an HTTP request with a set of network ranges. What
would be the best way to use the X-Forwarded-For header instead for this
comparaison, so as to make it usable from behind a reverse-proxy ?
Regards.
--
Guillaume Rousse
Pôle SSI
Tel: +33 1 53 94 20 45
www.renater.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20190919/d840fad1/attachment.p7s>
More information about the users
mailing list