Shibboleth MFA questions
nklingenstein at calstate.edu
Wed May 17 17:56:34 EDT 2017
> SPs should ask for what they will accept or simply not care and live with what they get.
The one piece of practical advice I can add is, that's a loud "should". If you set a RequestedAuthnContext, the IdP will do anything it can to return it, following rules that are actually specified, from what I can tell. See 126.96.36.199.1.
Some other implementations will not follow the specification rigorously, which makes the question of who controls the routing very difficult to answer in a deployment.
My rule of thumb: if there is a RequestedAuthnContext, the SP controls it. If there isn't, the IdP controls it. It's definitely a rule of thumb, though.
More information about the users