Forcing MFA for some SPs and not Others

Cantor, Scott cantor.2 at
Fri Aug 13 22:13:18 UTC 2021

If you want them exempted from Duo, then you need to unconditionally null out the flow to run, and you need to clear the RequestedPrincipalContext from the tree that's telling the IdP to require Duo.

> without the if statement I get various errors depending on the application.

Because you didn't clear the requirement state that's enforced later at the end.

        nextFlow = null;
        // Clear requirement for MFA.

-- Scott

More information about the users mailing list