Enforce MFA for federated IDPs

Cantor, Scott cantor.2 at osu.edu
Fri May 3 15:45:14 EDT 2019

On 5/3/19, 3:27 PM, "users on behalf of Nate Klingenstein" <users-bounces at shibboleth.net on behalf of ndk at signet.id> wrote:

> I could see some value.  It would allow you to blacklist from discovery the IdP's that don't support MFA as well as give
> metrics regarding MFA support throughout the federation.  I don't know that I would call it worth the effort, but I
> wouldn't call it meaningless.

I don't think this is a good model. Preventing people from picking something is bad for the user experience and just leaves them not understanding why service A lets them choose something and B doesn't. Discovery should be consistent.

-- Scott

More information about the users mailing list