Shibboleth MFA questions
Klingenstein, Nate
nklingenstein at calstate.edu
Wed May 17 17:56:34 EDT 2017
> SPs should ask for what they will accept or simply not care and live with what they get.
The one piece of practical advice I can add is, that's a loud "should". If you set a RequestedAuthnContext, the IdP will do anything it can to return it, following rules that are actually specified, from what I can tell. See 3.3.2.2.1.
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Some other implementations will not follow the specification rigorously, which makes the question of who controls the routing very difficult to answer in a deployment.
My rule of thumb: if there is a RequestedAuthnContext, the SP controls it. If there isn't, the IdP controls it. It's definitely a rule of thumb, though.
More information about the users
mailing list