Logic for mfa-authn-config.xml

Tom Scavo trscavo at gmail.com
Wed Jan 10 17:41:03 EST 2018


On Wed, Jan 10, 2018 at 4:40 PM, Paul B. Henson <henson at cpp.edu> wrote:
>
> Applications will fall into three groups; those that do not need MFA at all, those that will use MFA if available but still work with just a password otherwise, and those that strictly require MFA and will fail if it does not succeed. I'm not sure yet where this application delineation information will be stored.

The first two groups of applications just continue to do what they've
always been doing (i.e., no RequestedAuthnContext in the
AuthnRequest). The latter group of applications indicate (via
RequestedAuthnContext in the AuthnRequest) their requirement for MFA.
If the IdP can not satisfy that requirement, it returns a SAML error.

The rest is up to the IdP.

Just my two cents,

Tom


More information about the users mailing list