Step-up MFA

Aterea Brown atbrown at
Mon May 13 18:13:01 EDT 2019

Thanks for clearing that up Scott, would you be able to provide an example of the setup you describe?

Aterea Brown, AUT University
Cybersecurity, ICT
Email: atbrown at Phone: 9219999 x 6523
From: users <users-bounces at> on behalf of Cantor, Scott <cantor.2 at>
Sent: Tuesday, 14 May 2019 10:06 AM
To: Shib Users
Subject: Re: Step-up MFA

On 5/13/19, 5:51 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

> It's already more complex than I'd like, and I'd welcome suggestions on how to simplify it.

The only way out is to force the flow to run, set reuseCondition to false so it never reuses the root result without running the script.

Covered at length in the MFA topic under "Reuse of the Entire authn/MFA Flow Result (When Is a MFA Next Flow Strategy Executed?)"

There are cleaner ways to do things, but they don't work in the situation you have. When you have a manageable number of SPs opting into MFA like I do, it's cleaner to do it the way I described originally, but you have SPs out there requesting it on their own combined with a huge number to default in, so it gets very ugly because of the need to prevent spoofing requests down to a weaker AuthnContext. The mess of tags and maintenance of systems in the different sets gets too ugly once it ramps up to "everything except a few" and it's easier to require nothing and let the MFA scripting sort it out.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list