Reuse MFA flow bean
kwessel at illinois.edu
Wed Sep 15 15:43:41 UTC 2021
Thanks, Scott. This was my suspicion. We'll come back and revisit this once we have everyone using MFA.
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Wednesday, September 15, 2021 10:33 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Reuse MFA flow bean
On 9/15/21, 11:24 AM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
> I need the MFA flow to not always reuse conditions so that step-up authentication works properly.
Not unless the user is a factor in that decision. Anything else is manageable with custom Principal handling.
> We've got some SPs that are allowed through with just password, some
> that require MFA, and some that will fal through to our default case which is to prompt the user for MFA based on the user's role.
And the latter is the one that's impossible to deal with any other way usually because you have to decide on the fly whether the honor particular RequestedPrincipalContext settings or simply clear them in the name of an exemption.
> If I reuse the MFA results and log into an SP that never requires the
> second factor then log into one that falls into the default case with a user required to do the second factor, the IdP doesn't prompt me for MFA.
The problem is that it's not the *service* that requires MFA, it's the service + user. So at minimum you have to resolve attributes there to decide. You could in theory do that in the reuseCondition itself in some cases, but the complexity isn't worth the benefit IMHO. The understandability is higher by thinking in terms of your logic running every time in a consistent way, with or without a pre-existing session.
> This seems analogous to the favorSSO setting from the past versions of the IdP.
That setting has impact only when MFA isn't being used. It's for traditional "multiple, unrelated authentication options with non-overlapping behavior" cases that predate modern MFA that is really SFA plus another SFA.
> it feels like all of that checking wouldn't nend up adding much efficiency.
> Are there any examples out there yet of what I can do with this
> bean to perhaps get me headed down the right path? I see none o the wiki. I welcome any suggestions.
Stop with the user exemptions. That's the only improvement you can reasonably make.
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!tdXMXBGINgPwFT9XZ-UCf-m1zENoIpf5U-6a6097oDVQgu3lGCxkFslrPHFgLSqDaQ$
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users