MFA Resources

Jeremiah Garmatter j-garmatter at
Tue Jul 28 18:45:10 UTC 2020


Thank you for the information, I've corrected the idp.authn.flows to be MFA
only. From your explanations, I can say that something clicked and I began
to understand how the authentication flows are built, how to enable them
properly and how they are defined through mfa-authn-config.xml as well as
general-authn.xml. Currently, the system is working as I want it to and I
believe I have figured out how to override the global configurations within
relying-party.xml across my individual services. Thank you for taking the
time to answer my questions.

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
j-garmatter at

On Tue, Jul 28, 2020 at 2:28 PM Cantor, Scott <cantor.2 at> wrote:

> On 7/28/20, 2:16 PM, "users on behalf of Mak, Steve" <
> users-bounces at on behalf of makst at> wrote:
> >    This list has warned in the past and I will warn you as well.
> >
> >                idp.authn.flows= MFA|Duo|Password
> >
> >   This line is enabling a possible MFA bypass in your IdP.
> That's correct, that documentation is wrong.
> >    My IdP only has idp.authn.flows=MFA
> Using the MFA feature generally involves enabling only that flow. In rare
> cases, when there are "other" methods unrelated to the MFA rules such as
> X.509 or SPNEGO, you might have them both active, but generally that's
> going to cause problems later and it's best to control the combination of
> options directly with the MFA feature.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list