Forcing the timeout of 2nd factor in a MFA login

Julian Williams julian.williams at
Mon Feb 10 09:53:56 EST 2020

Dear Shibboleth users,

We are testing a new MFA flow with IdP 3.4 which uses the standard 
Password flow as the first factor and an custom flow that checks an OTP 
as the second factor. This is used by only one application here and that 
uses a Shibboleth Service Provider which we have control over. The MFA 
flow is chosen when the SP requests a authnContextClassRef of 

Is there any way of reducing the session lifetime of the second factor 
to 15min whilst keeping the default/Password lifetime to 10hours? 
Ideally what we'd like is for the application to request a new 
authentication after 15min of inactivity and we want users to just be 
prompted for the 2nd factor and not their password again.

I've experimented with changing various things but at the moment I can 
either trigger the whole MFA flow to rerun, including asking for the 
password, or not at all.

These are the pertinent config setting I think...

#### conf/ ####

idp.session.timeout = PT10H
idp.authn.flows= MFA
idp.authn.defaultLifetime = PT10H
idp.authn.defaultTimeout = PT10H

#### conf/authn/general-authn.xml ####
         <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
         <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
                 p:forcedAuthenticationSupported="true" />
         <bean id="authn/AVWebFlow" parent="shibboleth.AuthenticationFlow"

#### conf/authn/mfa-authn-config.xml ####

    <util:map id="shibboleth.authn.MFA.TransitionMap">
         <!-- First rule runs the Password login flow. -->
         <entry key="">
             <bean parent="shibboleth.authn.MFA.Transition" 
p:nextFlow="authn/Password" />

         <entry key="authn/Password">
             <bean parent="shibboleth.authn.MFA.Transition" 
p:nextFlowStrategy-ref="checkSecondFactor" />

         <!-- An implicit final rule will return whatever the final flow 
returns. -->

     <!-- Example script to see if second factor is required. -->
     <bean id="checkSecondFactor" 
parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
                 nextFlow = "authn/AVWebFlow";

                 authCtx = 
                 mfaCtx = 
                 if (mfaCtx.isAcceptable()) {
                     nextFlow = null;

                 nextFlow;   // pass control to second factor or end 
with the first

If I just set the p:lifetime="PT15M" on the bean for the 2nd factor flow 
(authn/AVWebFlow) the IdP appears to ignore it and carrying on issuing 
assertions after the 15min has elapsed. If I also set this lifetime on 
the MFA bean (authn/MFA) then the lifetime is honored but then I get 
prompts for both factors which isn't what I'd like.

I've also tried using a maxTimeSinceAuthn setting on the SP but all that 
does is make the SP throw an error and doesn't force a re-authentication 
which is what we were hoping for.

We could also set forceAuthn="true" on the SP side but I'm assuming that 
that will trigger the complete MFA flow to run i.e. both factors.

Any advice much appreciated.



More information about the users mailing list