MFA for Incommom members

Cantor, Scott cantor.2 at
Tue Jul 2 13:49:52 EDT 2019

On 7/2/19, 1:45 PM, "users on behalf of IAM David Bantz" <users-bounces at on behalf of dabantz at> wrote:

> A possible option that might meet your requirements would be to require MFA at the IdP based on the principal;
> an attribute in the principal's (LDAP) record can trigger the MFA for persons, but not for the service accounts.

If that's the only concern, I would simply reverse it and clear the requirement for service accounts (i.e. based on some attribute representing that). That's much safer. Trying to "add" the requirement conditionally is much more prone to loopholes than clearing it conditionally, and it also allows things to fail closed in the event the attribute can't be fetched due to failure.

-- scott

More information about the users mailing list