c14n attribute sourced subject, multiple principals

Joseph Fischetti Joseph.Fischetti at marist.edu
Thu Mar 19 09:09:58 EDT 2020

> That isn't what I mean by lying. Lying is *not* performing a second factor
> while claiming that you did (i.e what Duo does). Deciding whether to do it,
> and then just accurately reflecting the result is exactly what the IdP should
> do, and what any examples I've posted generally do.

I see.  I think I understand what you mean.  If the SP calls for MFA and the MFA flow is called, the IdP won't say report that MFA was used if it only ran the password flow (as opposed to running password and then running duo), is that right?

Thanks for taking the time Scott.  I appreciate your insight.


More information about the users mailing list