Enforce MFA for federated IDPs
Zunan Dong
zunan.dong at utoronto.ca
Fri May 3 15:07:09 EDT 2019
Thanks, Scott. A further question, if IdP returns a SAML assertion with
MFA authn context in it, how do I verify it actually uses MFA and meets
the requirement in the MFA document?
Zunan
On 2019-05-03 03:01 PM, Cantor, Scott wrote:
> On 5/3/19, 2:56 PM, "users on behalf of Zunan Dong" <users-bounces at shibboleth.net on behalf of zunan.dong at utoronto.ca> wrote:
>
>> https://refeds.org/profile/mfa is an AuthnContextClassRef inserted into SAML Req/Resp. Is there any entity category
>> that ensures a particular IDP supports this Authn Context?
> That doesn't have any value. If you don't *need* it, don't ask for it. If you do need it, then you ask, and when you get an error back, you know they didn't support it (which by definition implies you can't let them login anyway).
>
> -- Scott C
>
--
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: zunan.dong at utoronto.ca
More information about the users
mailing list