The MFA flow is not considered to be SSO reuse by the IdP even though it may result in reusing SSO. This causes the SSO flag in audit logs to always result in a value of “false” instead of reflecting that an SSO session was established.
Environment
None
Activity
Scott Cantor December 15, 2022 at 9:09 PM
This is really more of a straight bug with a simple fix of adjusting the merge function to set the new result's flag based on whether all of the results put into it are also previous results.
I think this is likely the right answer 99% of the time so just fixing that is simpler than a more complex "make it the deployer's problem" approach.
If this doesn't seem to work well, we can revisit.
Scott Cantor December 15, 2022 at 8:59 PM
Per conversation on Slack, my thought was to expose a way to get this flag manipulated by the MFA scripting, but I do still question whether it’s even realistic for the MFA scripting to actually know the answer or not, so that’s something I have to look at as well. Offhand I guess maybe one might be able to interrogate the active results stashed and tracked in the MultiFactorAuthenticationContext, but I’ll need to test that theory.
The MFA flow is not considered to be SSO reuse by the IdP even though it may result in reusing SSO. This causes the SSO flag in audit logs to always result in a value of “false” instead of reflecting that an SSO session was established.