Changing MCB assurance level per SP and by "risk" (source IP)

Rich Graves rgraves at
Fri Apr 4 17:52:19 EDT 2014

> The SP needs to send the "assurance" requirement via the AuthnContextClassRef field of the AuthRequest. You can't control on the IdP side "SP X requests must do DUO". 

Yes, that flow is as expected. I just need to figure out how exactly to do that. I will do my homework. I suppose /etc/shibboleth/bindingTemplate.html would be too easy?

> As for your second question, once again, it's on the Service to say "hmm, this user is from Nigeria, I should make them to 2-factor" 

Hmm. I agree that the SP, not something like the IdP's relying-party.xml, should decide if an SP wants step-up authentication. But I think I want one central decision point on "risky" IPs -- and certainly on dodgy globe-trotting behavior. Individual SPs, especially third-party SPs, do not know what my IdP knows about expected user behavior.

There is already the <idms attributeResolverID> mechanism for forcing a *user* to a higher assurance level regardless of SP. Or is that supposed to be an inclusive set, and I'm abusing it by making it exclusive? It looks like I could make "creative" use of <idms attributeResolverID> pointing to an instrumented database or LDAP server. Go ahead and talk me out of that.
Rich Graves <rgraves at>

More information about the users mailing list