c14n attribute sourced subject, multiple principals
Cantor, Scott
cantor.2 at osu.edu
Thu Mar 19 09:50:08 EDT 2020
> I see. I think I understand what you mean. If the SP calls for MFA and the MFA
> flow is called, the IdP won't say report that MFA was used if it only ran the
> password flow (as opposed to running password and then running duo), is that
> right?
Yes, if it's allowed to behave normally. Doing things like adding supportedPrincipals that reflect MFA to the Password flow so that a "fail-open" continues to satisfy requests for MFA will defeat those controls.
-- Scott
More information about the users
mailing list