Enforce MFA for federated IDPs

Nate Klingenstein ndk at signet.id
Fri May 3 15:26:46 EDT 2019

> > https://refeds.org/profile/mfa is an AuthnContextClassRef inserted into SAML Req/Resp. Is there any entity category
> > that ensures a particular IDP supports this Authn Context?
> That doesn't have any value. If you don't *need* it, don't ask for it. If you do need it, then you ask, and when you get an error back, you know they didn't support it (which by definition implies you can't let them login anyway).
I could see some value.  It would allow you to blacklist from discovery the IdP's that don't support MFA as well as give metrics regarding MFA support throughout the federation.  I don't know that I would call it worth the effort, but I wouldn't call it meaningless.

More information about the users mailing list