MFA and AWS SAML authentication

Wessel, Keith kwessel at
Wed May 17 17:57:54 EDT 2017

Good to know. I'll test again to see if they've fixed it. Maybe it was an issue when we last tested. We brought it to their attention, but we didn't get much of a response.


-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Wednesday, May 17, 2017 4:52 PM
To: Shib Users <users at>
Subject: Re: MFA and AWS SAML authentication

On 5/17/17, 5:48 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

> Our AWS admins asked if I could turn on forced MFA into AWS for specific users. I did this, and AWS didn't like it. Turns out, if you
> send an authn context other than urn:oasis:names:tc:SAML:2.0:classes:ac:password to AWS with your assertion, they reject it.

Hmm, no, they don't, we're doing that.

So...dunno but it's been fine here.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list