selectively inhibit previous session
cantor.2 at osu.edu
Thu May 21 21:13:24 UTC 2020
On 5/21/20, 5:08 PM, "users on behalf of Jim Fox" <users-bounces at shibboleth.net on behalf of fox at washington.edu> wrote:
> How can I inhibit the previous session handler based on the user's login
> id? (This would be, say, to prevent reuse of a session from a stolen
> password login.)
The design is built around not worrying about the session, it doesn't matter. What you want to inhibit is the authentication results from being reused, and all of them have a reuseCondition attached to control that now.
However, I created a regression in 4.0 that prevents the conditions from being properly attached to subresults in the MFA flow when they're pulled back out, it's hopefully fixed in 4.0.1.
More information about the users