Enforce MFA for federated IDPs

Zunan Dong zunan.dong at utoronto.ca
Fri May 3 15:07:09 EDT 2019

Thanks, Scott. A further question, if IdP returns a SAML assertion with 
MFA authn context in it, how do I verify it actually uses MFA and meets 
the requirement in the MFA document?


On 2019-05-03 03:01 PM, Cantor, Scott wrote:
> On 5/3/19, 2:56 PM, "users on behalf of Zunan Dong" <users-bounces at shibboleth.net on behalf of zunan.dong at utoronto.ca> wrote:
>> https://refeds.org/profile/mfa is an AuthnContextClassRef inserted into SAML Req/Resp. Is there any entity category
>> that ensures a particular IDP supports this Authn Context?
> That doesn't have any value. If you don't *need* it, don't ask for it. If you do need it, then you ask, and when you get an error back, you know they didn't support it (which by definition implies you can't let them login anyway).
> -- Scott C

Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: zunan.dong at utoronto.ca

More information about the users mailing list