Reuse MFA flow bean

Wessel, Keith kwessel at
Wed Sep 15 15:24:11 UTC 2021

Hi, all,

I was looking at the reuse MFA conditions bean yesterday, trying to figure out how I might use that feature to improve the efficiency of my MFA flow. Right now, I have the lazy approach:

idp.authn.MFA.reuseCondition = shibboleth.Conditions.FALSE

I need the MFA flow to not always reuse conditions so that step-up authentication works properly. We've got some SPs that are allowed through with just password, some that require MFA, and some that will fal through to our default case which is to prompt the user for MFA based on the user's role. If I reuse the MFA results and log into an SP that never requires the second factor then log into one that falls into the default case with a user required to do the second factor, the IdP doesn't prompt me for MFA. This seems analogous to the favorSSO setting from the past versions of the IdP.

I'm unclear what I could do in a bean to see if the MFA flow results should be reused that would make it more efficient than just re-running the flow every time. In theory, it would need to evaluate the requested authnContexts and the allowed methods for the given user, and it feels like all of that checking wouldn't nend up adding much efficiency.

Are there any examples out there yet of what I can do with this bean to perhaps get me headed down the right path? I see none o the wiki. I welcome any suggestions.


More information about the users mailing list