Enforce MFA for federated IDPs
Cantor, Scott
cantor.2 at osu.edu
Fri May 3 15:45:14 EDT 2019
On 5/3/19, 3:27 PM, "users on behalf of Nate Klingenstein" <users-bounces at shibboleth.net on behalf of ndk at signet.id> wrote:
> I could see some value. It would allow you to blacklist from discovery the IdP's that don't support MFA as well as give
> metrics regarding MFA support throughout the federation. I don't know that I would call it worth the effort, but I
> wouldn't call it meaningless.
I don't think this is a good model. Preventing people from picking something is bad for the user experience and just leaves them not understanding why service A lets them choose something and B doesn't. Discovery should be consistent.
-- Scott
More information about the users
mailing list