MFA for Incommom members

IAM David Bantz dabantz at
Tue Jul 2 13:45:20 EDT 2019

A possible option that might meet your requirements would be to require MFA
at the IdP based on the principal;
an attribute in the principal's (LDAP) record can trigger the MFA for
persons, but not for the service accounts.

We currently allow opt-in to MFA and use a value of LDAP attribute
eduPersonAssurance to trigger MFA for those who opt in.

David Bantz

On Tue, Jul 2, 2019 at 8:47 AM Cantor, Scott <cantor.2 at> wrote:

> > Are there any other ways the Endpoint URL can be extracted and used to
> apply MFA on ?
> It's ill-advised; there is no support for applying policy to a request
> beyond the entityID, to avoid tying yourself to details of a deployment
> that are in no way assumed to be stable. Those URLs are not "applications"
> in the sense that you're trying to attach meaning to.
> To the extent that it would ever be done, it should be done with
> RelayState by agreeing to specific values amongst the parties that signal
> the appropriate things. That's not good, but it's better than relying on
> the endpoints.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list