c14n attribute sourced subject, multiple principals

Cantor, Scott cantor.2 at osu.edu
Wed Mar 18 17:37:51 EDT 2020

On 3/18/20, 5:20 PM, "users on behalf of Joseph Fischetti" <users-bounces at shibboleth.net on behalf of Joseph.Fischetti at marist.edu> wrote:

> A condition bean as in... activation condition?  Or a condition within the
> custom script that does a lookup, etc?

The latter, but it's variable, that's tied into when/how you want to do the bypass. You don't have to write new code to check CIDR ranges, there's already an IPRangePredicate class that does it, but you have to wire it up into something that calls it and decides what to do based on the answer.

> I guess you're suggesting I do it because it's the "right thing to do" not
> necessarily because it's the best way to do it.

I'm not saying lying is the right thing to do, I'm saying it's what people usually want, and Duo doing the bypass gets that result with no extra work. Personally, I think it's lying, and I don't think IdPs should lie. If an SP thinks a bypass is appropriate, it should not require MFA because that's not in fact what it's requiring by accepting that. So leave it up to the IdP and be done with it. But that's often not the desired result.

> Re: my other point... I added a log to the PrincipalNameLookupStrategy, and

I don't know what your script is doing, but suffice to say it's likely just not correct. But that's outside what I can do for free, this is already pushing it. My general rule now is MFA is not really subject to free support.

-- Scott

More information about the users mailing list