Step-up MFA

Aterea Brown atbrown at aut.ac.nz
Mon May 13 16:12:47 EDT 2019 

Hi Keith,

Is the idp reusing the mfah flow result?

Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Wessel, Keith <kwessel at illinois.edu>
Sent: Tuesday, May 14, 2019 7:46:50 AM
To: users at shibboleth.net
Subject: Step-up MFA

All,

It was brought to my attention this morning that some step-up MFA that we had working is no longer working.

We require MFA for all faculty, staff, and grad students; undergrads opt in. We have a couple of SPs that, despite my best efforts of convincing folks otherwise, don't require MFA for anyone. We pull off all of this magic with an attribute definition that takes into account MFA group memberships and the SP requesting authentication.

When I rolled this out, you could go to one of the SPs that was 2FA exempted and log in with your password. You could then go to any other SP and be prompted to do the 2FA part to step up the authentication.

I was informed this morning that going first to the exempted SP then to any other SP lets you in to both without step-up. Not good, obviously.

Am I correct that an authentication request on an existing IdP session will cause the IdP to evaluate the requested authentication contexts against those the user has already satisfied? And if one has not already been satisfied, the IdP will go through the MFA authn flow again to satisfy a requested context? And at that time, the MFA script will resolve any attributes coded into it to resolve (like the eduPersonAssurance attribute) along with any dependent attributes. I want to make sure that my issue isn't attribute caching or even the MFA flow not running at all.

I've checked over my logic in my MFA script and my attribute definitions and can't find any reasons why this wouldn't be working, and I know it did in the past. So, I thought I'd confirm how things _should_ work for step-up.

Thanks,
Keith

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190513/c8cf5431/attachment.html>

More information about the users mailing list