c14n attribute sourced subject, multiple principals

Cantor, Scott cantor.2 at osu.edu
Thu Mar 19 09:50:08 EDT 2020

> I see.  I think I understand what you mean.  If the SP calls for MFA and the MFA
> flow is called, the IdP won't say report that MFA was used if it only ran the
> password flow (as opposed to running password and then running duo), is that
> right?

Yes, if it's allowed to behave normally. Doing things like adding supportedPrincipals that reflect MFA to the Password flow so that a "fail-open" continues to satisfy requests for MFA will defeat those controls.

-- Scott

More information about the users mailing list