MFA for Incommom members
Cantor, Scott
cantor.2 at osu.edu
Tue Jul 2 13:49:52 EDT 2019
On 7/2/19, 1:45 PM, "users on behalf of IAM David Bantz" <users-bounces at shibboleth.net on behalf of dabantz at alaska.edu> wrote:
> A possible option that might meet your requirements would be to require MFA at the IdP based on the principal;
> an attribute in the principal's (LDAP) record can trigger the MFA for persons, but not for the service accounts.
If that's the only concern, I would simply reverse it and clear the requirement for service accounts (i.e. based on some attribute representing that). That's much safer. Trying to "add" the requirement conditionally is much more prone to loopholes than clearing it conditionally, and it also allows things to fail closed in the event the attribute can't be fetched due to failure.
-- scott
More information about the users
mailing list