MFA Resources

Cantor, Scott cantor.2 at
Tue Jul 28 18:22:22 UTC 2020

I hit send early...

On 7/27/20, 8:49 PM, "users on behalf of Jeremiah Garmatter" <users-bounces at on behalf of j-garmatter at> wrote:

> I thought I could use Stanford Universities MFA context

There's basically one pseudo-standard value in academia, or you generally define your own

The REFEDS value is defined in and may be fine if the deployment meets its minimal requirements. OSU's deployment right now does not meet them for a couple of reasons, therefore I couldn't use it, and had to invent my own to use for my campus.

For the purposes of getting it to work, what it is doesn't matter. Use whatever's handy, use the example in the documentation even. Changing it later is a simple global replace in a couple of files.

> Should I be configuring some sort of script within the mfa-authn-config.xml script?


> Am I supposed to configure MFA to override the single factor username to allow for multiple forms of authentication?

Yes. Right now you have Password enabled as the login flow to use ( -> idp.authn.flows).

You have to change that to "MFA", and configure the MFA feature to combine the Password and Duo methods in a particular way to get to the end result you're trying to achieve. The default rules and scripts in the mfa-authn-config file basically do this, but they do it by demonstrating IPAddress and Password instead of Password and Duo. It is a straight text replacement in many cases to get a basically working example of Password and Duo.

> As usual, help is appreciated, but if what I ask is beyond the scope of this email list please refer me to another group.

There is no other group, unless you're prepared to pay for help, and I'm already pushing the boundaries of what is reasonable to expect (see the list footer), but I'm legitimately trying to imagine what I can possible say here.

I would suggest that you start by ignoring the per-service part of your question, and probably even the Duo part. You're trying to do everything at once.

Once you have the MFA feature configured to combine Password and Duo, you can worry about service-specific rules.

The first thing you should do is "get back to baseline". Don't touch relying-party.xml. You need to get the idp.authn.flows property set to MFA instead of Password and then get the system to be running the same password authentication step it's been doing.

Once it's doing that, adding Duo in is the next step, and then per-service rules after that.

-- Scott

More information about the users mailing list