MFA and AWS SAML authentication

Wessel, Keith kwessel at
Wed May 17 17:48:07 EDT 2017

Hi, all,

Wondered if anyone had hit up against a problem we're having with SAML authentication into AWS and, even better, found a reasonable fix. I think this is AWS's issue, but I thought I'd ask.

Our AWS admins asked if I could turn on forced MFA into AWS for specific users. I did this, and AWS didn't like it. Turns out, if you send an authn context other than urn:oasis:names:tc:SAML:2.0:classes:ac:password to AWS with your assertion, they reject it. Obviously, they shouldn't be caring what authn context they get as long as they're getting a valid one, or so I would think. So, when we send them our custom context that we use for MFA, it fails. They also provide no way for us to tell them we might send other contexts.

I'd rather not lie to Amazon and tell them that a user did a password authentication when they actually did an MFA authentication just to work around this issue, nor would I know how to tell the IdP to tell that lie.

Has anyone successfully found a way to do MFA into AWS with IdP v3?


More information about the users mailing list