github relying party & MFA

IAM David Bantz dabantz at
Wed Oct 16 15:28:48 EDT 2019

Is it practical to have MFA triggered in the IdP using logic relying on
both a user attribute and the relying party id?

Our IdP currently triggers (Duo) 2FA by user (eduPersonAssurance value= but this week I've received suggestions or
requests for triggering or suppressing on the basis of relying party id;
that is, to trigger 2FA for relying party A or A' without generally
requiring for other logins, in another to suppress 2FA request in the IdP
regardless of whether the user's account generally requires 2FA for relying
party B.

[That case might seem odd: Service owner indicates need to use the
service's own MFA rather than rely on Duo MFA from our IdP because only
that internally triggered MFA (but not a signal indicating MFA from the
IdP) will be tracked and used to determine differential access to sites
within the service.This case means that for user X, even if that user is
flagged for Duo MFA generally, they should not be prompted for second
factor if the service is github, because github may prompt for 2FA and X
doesn't want to be prompted twice for a second factor.]

So in principle I think I'm being asked to configure:
require (Duo) 2FA if ((MFA user and relying party not (B or B'...)) or
(relying party is (A or A',...)))
Is this a feasible configuration to manage in the IdP? If so, please give

Thank you,
David Bantz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list