Step-up MFA

Wessel, Keith kwessel at
Tue May 14 07:24:45 EDT 2019

That's what I was looking for. Thanks, Scott and Andy. No idea how I missed this item in the upgrade notes for 3.4.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Monday, May 13, 2019 5:06 PM
To: Shib Users <users at>
Subject: Re: Step-up MFA

On 5/13/19, 5:51 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

> It's already more complex than I'd like, and I'd welcome suggestions on how to simplify it.

The only way out is to force the flow to run, set reuseCondition to false so it never reuses the root result without running the script.

Covered at length in the MFA topic under "Reuse of the Entire authn/MFA Flow Result (When Is a MFA Next Flow Strategy Executed?)"

There are cleaner ways to do things, but they don't work in the situation you have. When you have a manageable number of SPs opting into MFA like I do, it's cleaner to do it the way I described originally, but you have SPs out there requesting it on their own combined with a huge number to default in, so it gets very ugly because of the need to prevent spoofing requests down to a weaker AuthnContext. The mess of tags and maintenance of systems in the different sets gets too ugly once it ramps up to "everything except a few" and it's easier to require nothing and let the MFA scripting sort it out.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list