Hello!
In theory (from docs):
IMPORTANT: If you have configured more than one chain using one method (for example, LDAP
Password, LDAP Password+Smartphone) and assigned it to the same group of users and the
same event, then the top chain is always used if the user has enrolled all methods in the chain.
An exception is the use of a high-security chain and its appropriate simple chain, where the
simple chain must be higher than its high-security chain.
In practice (from my lab):
Looks like the system bahaves completely opposite and even more:
There are two chains: LDAP and LDAP+SMARTPHONE (enrolled indeed). No matter what chain I choose,
after passing the LDAP password I am immediately authenticated. SMARTPHONE is never used. It's true at least for Windows Logon and Enrollment Portal.
I'd swear it's working as described in docs in case of Entrollment portal with "Show chains" option disabled.
Unfortunately, after more than 24 hours and one restart list of chains is still visible, so I can't confirm it.
Could someone comment on that, please?
Dariusz