MFA Resources

Cantor, Scott cantor.2 at
Tue Jul 28 18:58:00 UTC 2020

On 7/28/20, 2:45 PM, "users on behalf of Jeremiah Garmatter" <users-bounces at on behalf of j-garmatter at> wrote:

> Thank you for the information, I've corrected the idp.authn.flows to be MFA only. From your explanations, I can say that
> something clicked and I began to understand how the authentication flows are built, how to enable them properly and
> how they are defined through mfa-authn-config.xml as well as general-authn.xml.

If enabling only the MFA flow is working, it's likely you're pretty close to a correct answer, but testing is really the only way to know if you're trying to be sure it's requiring Duo when it should. SSO can mask a lot of behavior and make it hard to tell there are gaps.

It also helps if your rules are strictly service-driven and not user-based. Once they get more complex, avoiding holes is harder.

> Currently, the system is working as I want it to and I believe I have figured out how to override the global configurations
> within relying-party.xml across my individual services. Thank you for taking the time to answer my questions.

Since you seem to have made it to a better state of understanding probably despite my help, knowing what the documentation did to hinder that would help in improving it. What terms made no sense without definitions, that kind of thing.

-- Scott

More information about the users mailing list