MFA for Incommom members
IAM David Bantz
dabantz at alaska.edu
Tue Jul 2 13:45:20 EDT 2019
A possible option that might meet your requirements would be to require MFA
at the IdP based on the principal;
an attribute in the principal's (LDAP) record can trigger the MFA for
persons, but not for the service accounts.
We currently allow opt-in to MFA and use a value of LDAP attribute
eduPersonAssurance to trigger MFA for those who opt in.
David Bantz
UA OIT IAM
On Tue, Jul 2, 2019 at 8:47 AM Cantor, Scott <cantor.2 at osu.edu> wrote:
> > Are there any other ways the Endpoint URL can be extracted and used to
> apply MFA on ?
>
> It's ill-advised; there is no support for applying policy to a request
> beyond the entityID, to avoid tying yourself to details of a deployment
> that are in no way assumed to be stable. Those URLs are not "applications"
> in the sense that you're trying to attach meaning to.
>
> To the extent that it would ever be done, it should be done with
> RelayState by agreeing to specific values amongst the parties that signal
> the appropriate things. That's not good, but it's better than relying on
> the endpoints.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190702/6752640a/attachment.html>
More information about the users
mailing list