FW: MFA for Incommom members
NAINI at mailbox.sc.edu
Tue Jul 2 11:40:00 EDT 2019
Good Afternoon Gentlemen,
I have a question about MFA implementation for Incommom members (SP). We’re having difficult with one such Particular vendor (CollegeNET Inc.) – there’s multiple applications being hosted with the same EntityID, and one of the applications requested MFA be added. By default, I went ahead and added it based on the logic: getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext").getRelyingPartyId();
This resulted in MFA being applied to all of the Vendor’s applications, and some of them have resource accounts that do not have a way around MFA. Did anyone else run into this kind of a situation? I tried to look for an alternate way to try and apply the MFA. One potential way I was considering was to filter it based on the End Point Resolver value – I did find one reference in the idp-saml-api-3.3.1.jar, unsure how to extract it out and use it though.
Are there any other ways the Endpoint URL can be extracted and used to apply MFA on ? Would this cause any security concerns ? Can someone please provide some insights/suggestions on how to address this ? 😊
The concerned data:
Entity ID/Relying Party ID (the same for both Apps): https://corp.collegenet.com/shibboleth-sp/
Endpoint Resolver Values:
* 25Live https://25live.collegenet.com/sc/Shibboleth.sso/SAML2/POST
* AW https://admit.applyweb.com/admit/shibboleth/sc/Shibboleth.sso/SAML2/POST
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users