The IdP does not always handle the idp.authn.resolveAttribute configuration properly.
One of the more popular Multi-Context Broker use cases is to enable the IdP to require that certain users must use multi-factor authentication, even when the SP doesn't request it. This requirement may be the result of the user's preference, or institutional policy.
idp.authn.resolveAttribute can be configured to enable this, but it appears that it's not always honored. Here's more detail of what doesn't work.
- Two types of Principles are defined: Password and Duo.
- matchingRules are defined to allow Duo to be used to satisfy a request for Password.
- idp.authn.flows.initial is set to Password.
- The value of the user's value for the idp.authn.resolveAttribute is set to only Duo, not Password.
When an SP requests Password, the user should be prompted for Duo authentication after the initial Password authentication. Unfortunately, the IdP returns successful authentication after the initial Password authentication is complete, without the Duo interaction.