Step-up Authn broken

[langedb]

1. user initially authN at password context
2. return to SP
3. user comes back & SP requests Duo
4. user doesn't get prompted for duo, MCB returns to SP.

See Steven Carmody's thread on shib-assure.

[paulhethmon]

I need some clarification here. I've read through the email list but I'm missing something in the setup to bring out the bug. What I have in my test set up is this:

MCB: 2 methods and contexts defined:

1. password
2. silver

The "silver" method can satisfy "password".

Then 2 SP's defined and the method each requests:

1. Pwd SP. Requests "password".
2. Silver SP. Requests "silver" or "password" in that preference order.

I login to "Pwd", enter credentials. I go to "Silver", get sent to IdP, IdP says I must authenticate at a higher level (silver). I do and get sent to "Silver" with that context.

So what am I missing?

I think it might be that there is only a single SP involved for the bug here. The first time you login the SP does not request a context and you get "password". The second time it requests "duo" but you don't have to reauthenticate and "password" context is returned to the SP. Is that right?

[langedb]

Same premise, different setup:

1. SP requests unspecified or just doesn't specify anything (gets password)
2. SP (or another SP) then requests "silver" & user gets prompted for the additional step that "silver" does beyond password.

This is how things like the Duo step-up work, substitute "Duo" for "Silver"