...
The flow itself relies on a view template in views/admin/passwordless-admin.vm. The view provides a form that includes some simply simple logic at the top allowing it to determine the current state of the cookie and whether the user was granted admin access or merely control over one’s own cookie, and then provides the buttons to set an opt-in or opt-out cookie or clear it entirely. Admin access allows the username to be set explicitly rather than derived.
...
This is to some degree an example/demo of how one might provide this sort of functionality but because the cookie is generally scoped to the IdP, it is more or less assumed that a mechanism living within the IdP or at least running on the same server would need to be used to do so.
Note that allowing access to this flow would by default allow anybody to opt-in to the feature without passing the usual eligibility check that applies to the mainline behavior, but one could of course include checks for particular attributes (e.g., a group membership) in an access policy if desired.
Examples
MFA Flow Configuration Example
...
Note that this does not inherently prevent somebody from manipulating using the system administrative flow feature to get create the opt-in cookie created, though it isn’t necessarily easy or obvious how one might manage that. The point of the eligibility check is really about user experience management; the goal isn’t to keep people out, but to limit the support burden from users stumbling into it by mistakedirectly. If this is a concern, you would want to apply this group check to the general access control rule for end-user access to that feature and toggle the property on to resolve attributes after logging in to access that feature.
An example of performing an attribute lookup for a group is demonstrated below. Note that it also shows how to combine a more “expensive” check with the built-in condition based on Duo factor in an AND condition so that if the user doesn’t demonstrate the ability to use a passwordless factor first, the group check is skipped.
...