MFA for Incommom members

Wed Jul 3 11:07:56 EDT 2019

David, enabling the opt-in MFA would basically make them MFA for every Shibboleth login site, wouldn’t it? The University is just implementing the MFA on sites containing PII data, doesn’t want to enforce it across all the login pages. This would also require that we identify all the users who use the ApplyWeb and keep a track of any new additions/removals and track their MFA options. Is there any other option?

From: users <users-bounces at> On Behalf Of IAM David Bantz
Sent: Tuesday, July 2, 2019 1:45 PM
To: Shib Users <users at>
Subject: Re: MFA for Incommom members

A possible option that might meet your requirements would be to require MFA at the IdP based on the principal;
an attribute in the principal's (LDAP) record can trigger the MFA for persons, but not for the service accounts.

We currently allow opt-in to MFA and use a value of LDAP attribute eduPersonAssurance to trigger MFA for those who opt in.

David Bantz

On Tue, Jul 2, 2019 at 8:47 AM Cantor, Scott <cantor.2 at<mailto:cantor.2 at>> wrote:
> Are there any other ways the Endpoint URL can be extracted and used to apply MFA on ?

It's ill-advised; there is no support for applying policy to a request beyond the entityID, to avoid tying yourself to details of a deployment that are in no way assumed to be stable. Those URLs are not "applications" in the sense that you're trying to attach meaning to.

To the extent that it would ever be done, it should be done with RelayState by agreeing to specific values amongst the parties that signal the appropriate things. That's not good, but it's better than relying on the endpoints.

-- Scott

For Consortium Member technical support, see<>
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list