Forcing MFA for some SPs and not Others
Cantor, Scott
cantor.2 at osu.edu
Fri Aug 13 22:13:18 UTC 2021
If you want them exempted from Duo, then you need to unconditionally null out the flow to run, and you need to clear the RequestedPrincipalContext from the tree that's telling the IdP to require Duo.
> without the if statement I get various errors depending on the application.
Because you didn't clear the requirement state that's enforced later at the end.
nextFlow = null;
// Clear requirement for MFA.
authCtx.removeSubcontext(
authCtx.getSubcontext("net.shibboleth.idp.authn.context.RequestedPrincipalContext")
);
-- Scott
More information about the users
mailing list