Forcing the timeout of 2nd factor in a MFA login

Joseph Fischetti Joseph.Fischetti at
Mon Feb 10 10:06:10 EST 2020

I believe the timeout settings in the beans in general-authn are applied to the particular flow that was called.  I *believe* they become irrelevant if the flows are called via another flow (in this case, password is called via the mfa flow, so the only timeout setting that would be evaluated is the one for the mfa flow itself).

There’s probably some logic that you could put in a custom script in the mfa flow that could check the status of the password timeout, but I wouldn’t know off hand where to do that.  Rather than call authn/Password directly, you would have a custom script that checks the password timeout, and only calls authn/Password if it’s already timed out. Otherwise, call authn/Totp. It should be straightforward enough to see if it’s possible.

What plugin are you using for the totp authn?  I developed a totp plugin based on some work by another community member which leverages the attribute resolver to pull the encrypted seeds from an attribute store.  I posted It here on the mailing list a while back.

Sent from Mail<> for Windows 10

From: users <users-bounces at> on behalf of Julian Williams <julian.williams at>
Sent: Monday, February 10, 2020 9:53:56 AM
To: users at <users at>
Subject: Forcing the timeout of 2nd factor in a MFA login


Dear Shibboleth users,

We are testing a new MFA flow with IdP 3.4 which uses the standard
Password flow as the first factor and an custom flow that checks an OTP
as the second factor. This is used by only one application here and that
uses a Shibboleth Service Provider which we have control over. The MFA
flow is chosen when the SP requests a authnContextClassRef of

Is there any way of reducing the session lifetime of the second factor
to 15min whilst keeping the default/Password lifetime to 10hours?
Ideally what we'd like is for the application to request a new
authentication after 15min of inactivity and we want users to just be
prompted for the 2nd factor and not their password again.

I've experimented with changing various things but at the moment I can
either trigger the whole MFA flow to rerun, including asking for the
password, or not at all.

These are the pertinent config setting I think...

#### conf/ ####

idp.session.timeout = PT10H
idp.authn.flows= MFA
idp.authn.defaultLifetime = PT10H
idp.authn.defaultTimeout = PT10H

#### conf/authn/general-authn.xml ####
         <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
         <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
                 p:forcedAuthenticationSupported="true" />
         <bean id="authn/AVWebFlow" parent="shibboleth.AuthenticationFlow"

#### conf/authn/mfa-authn-config.xml ####

    <util:map id="shibboleth.authn.MFA.TransitionMap">
         <!-- First rule runs the Password login flow. -->
         <entry key="">
             <bean parent="shibboleth.authn.MFA.Transition"
p:nextFlow="authn/Password" />

         <entry key="authn/Password">
             <bean parent="shibboleth.authn.MFA.Transition"
p:nextFlowStrategy-ref="checkSecondFactor" />

         <!-- An implicit final rule will return whatever the final flow
returns. -->

     <!-- Example script to see if second factor is required. -->
     <bean id="checkSecondFactor"
parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
                 nextFlow = "authn/AVWebFlow";

                 authCtx =
                 mfaCtx =
                 if (mfaCtx.isAcceptable()) {
                     nextFlow = null;

                 nextFlow;   // pass control to second factor or end
with the first

If I just set the p:lifetime="PT15M" on the bean for the 2nd factor flow
(authn/AVWebFlow) the IdP appears to ignore it and carrying on issuing
assertions after the 15min has elapsed. If I also set this lifetime on
the MFA bean (authn/MFA) then the lifetime is honored but then I get
prompts for both factors which isn't what I'd like.

I've also tried using a maxTimeSinceAuthn setting on the SP but all that
does is make the SP throw an error and doesn't force a re-authentication
which is what we were hoping for.

We could also set forceAuthn="true" on the SP side but I'm assuming that
that will trigger the complete MFA flow to run i.e. both factors.

Any advice much appreciated.


For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list