MFA for Incommom members

Wed Jul 3 16:02:58 EDT 2019

Thank you all for the help in this regard. I found a snippet on one of the Shib forums, I was able to retrieve the endpoint URL from the SAMLPeerEntityContext subtree - here's the reference for anyone who might need it:

valCtx = profileContext.getOutboundMessageContext();
specCtx = valCtx.getSubcontext("org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext");
endPtCtx = specCtx.getSubcontext("org.opensaml.saml.common.messaging.context.SAMLEndpointContext").getEndpoint();
vlLocD = endPtCtx.getLocation();

I know this isn't the ideal way to do it, and that the URL is subject to change, but it does seem to be the most non-disruptive way to get this done.

Thank you.

-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Wednesday, July 3, 2019 11:17 AM
To: Shib Users <users at>
Subject: Re: MFA for Incommom members

On 7/3/19, 11:06 AM, "users on behalf of NAINI, NIKHIL" <users-bounces at on behalf of NAINI at> wrote:

> Scott, thanks for the response, but the SP said it's not possible for 
> him to tweak his metadata just for 1 University and a single application.

I said nothing about metadata.

> Are there any other ways we can get this implemented? 

David gave you the answer, in reverse. Identify the service accounts that need to bypass MFA, and use the MFA rule scripting logic that's running the second factor method to remove the requirement for MFA for those accounts by removing the RequestedPrincipalContext from under the AuthenticationContext in the tree. By the time the rule runs to transition from Password to whatever else, the account identity is known.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list