SAML flow within MFA flow - possible c14n problem

Cantor, Scott cantor.2 at
Tue Sep 13 14:30:35 UTC 2022

Most people proxying don't use the IdP's sessions, but if they're in use, there are no differences between any of the login flows in that respect, reuse is up to the relevant lifetime and your reuseCondition (if set).

However, the MFA flow by design can't apply timeouts on the individual results, as noted in the documentation (under Single Sign-On / Reuse By the 
MFA Flow).

"Note that one feature the MFA flow does not have is individual timeouts. For various reasons, it was not practical to maintain an activity timeout on the individual results within the MFA flow, and so that check is not done. Using a shorter lifetime generally will compensate for that.

On the other hand, the overall MFA result that contains all of the individual results does have the normal lifetime/timeout policy the IdP supports. You can still time out any memory of any of the results, just not at a fine-grained level."

-- Scott

More information about the users mailing list