Hi guys!
I've been working with SimpleSAMLphp for some time now and I love the way it just works most of the time :)
I've come across a desire to add an additional step to authentication on the IDP. Imagine a user having a secret question in addition to the standard authsource username/password authentication. A user can define it's own secret question on an SP I created, or a user can remain without a secret question in which case the auth process would default to the standard authsource username/password auth process.
From what I've seen in the documentation, Auth Filters are a way to add steps to the Authentication Processing Chain. The filters however don't work at all If I try to log in on the IDP directly, so if a user gets his username/password stolen, a malicious person can login directly to the IDP and go to all the SP's logged in as that user making the secret question auth filter completely useless :(.
So what I'm asking how would one properly implement additional authentication steps on the IDP? I haven't yet researched all the available modules, so if something similar exits in some of the modules, I apologize and please point me in the right direction :). I would very much like to avoid touching the existing SimpleSAMLphp code and do all the work in a separate module if it's at all possible.