MFA Resources
Cantor, Scott
cantor.2 at osu.edu
Tue Jul 28 18:28:36 UTC 2020
On 7/28/20, 2:16 PM, "users on behalf of Mak, Steve" <users-bounces at shibboleth.net on behalf of makst at upenn.edu> wrote:
> This list has warned in the past and I will warn you as well.
>
> idp.authn.flows= MFA|Duo|Password
>
> This line is enabling a possible MFA bypass in your IdP.
That's correct, that documentation is wrong.
> My IdP only has idp.authn.flows=MFA
Using the MFA feature generally involves enabling only that flow. In rare cases, when there are "other" methods unrelated to the MFA rules such as X.509 or SPNEGO, you might have them both active, but generally that's going to cause problems later and it's best to control the combination of options directly with the MFA feature.
-- Scott
More information about the users
mailing list