Shibboleth MFA questions

Klingenstein, Nate nklingenstein at
Wed May 17 17:56:34 EDT 2017

> SPs should ask for what they will accept or simply not care and live with what they get.

The one piece of practical advice I can add is, that's a loud "should".  If you set a RequestedAuthnContext, the IdP will do anything it can to return it, following rules that are actually specified, from what I can tell.  See

Some other implementations will not follow the specification rigorously, which makes the question of who controls the routing very difficult to answer in a deployment.

My rule of thumb: if there is a RequestedAuthnContext, the SP controls it.  If there isn't, the IdP controls it.  It's definitely a rule of thumb, though.

More information about the users mailing list