c14n attribute sourced subject, multiple principals

Cantor, Scott cantor.2 at osu.edu
Wed Mar 18 17:04:05 EDT 2020

I would not use the IPAddress flow. Its function is to map address ranges to generally artificial or at least service-account usernames. I doubt that's what you're really after here.

Using a condition bean from the MFA script to do the detection would be the right way to do it (if you don't want to use Duo's features for it).

In practice, it's very possible you really want Duo to do it. Using the IdP to do it is primarily in order to NOT assert MFA as the resulting context class in the event of a bypass, since it knows the Duo step didn't run. Most people doing bypasses are intending to lie to the SP and claim MFA was actually done, and the IdP can, but does not particularly make it easy, to do that.

-- Scott

More information about the users mailing list