Audit logs, MFA, and SSO sessions

[Cantor, Scott]

>    Is there a strategy on getting the log to properly reflect the reuse of an SSO session in this configuration?

Not easily. There's a flag on the AuthenticationResult that's produced by the MFA flow that signals whether it's a previous result. That's not set normally by anything but the code that deserializes results out of a session and running the flow every time means the result object is always new.

You would have to override the process that builds the final result and somehow know to toggle that flag on. The mechanics of producing the result can be overridden (see Merging Results in the MFA docs) but it's not easy.

I think all of that is probably dumb and it would make more sense that if you somehow knew whether SSO happened or not (and that's not itself clear to me), you could stash something off in e.g. a ScratchContext and then build a custom audit extraction rule to log the SSO field based on that instead of the default extractor.

Given that both are ugly-ish, the latter's probably less ugly and less disruptive to the internals.

-- Scott