MFA Resources

Jeremiah Garmatter j-garmatter at onu.edu
Tue Jul 28 18:45:10 UTC 2020


Scott,

Thank you for the information, I've corrected the idp.authn.flows to be MFA
only. From your explanations, I can say that something clicked and I began
to understand how the authentication flows are built, how to enable them
properly and how they are defined through mfa-authn-config.xml as well as
general-authn.xml. Currently, the system is working as I want it to and I
believe I have figured out how to override the global configurations within
relying-party.xml across my individual services. Thank you for taking the
time to answer my questions.

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
j-garmatter at onu.edu


On Tue, Jul 28, 2020 at 2:28 PM Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 7/28/20, 2:16 PM, "users on behalf of Mak, Steve" <
> users-bounces at shibboleth.net on behalf of makst at upenn.edu> wrote:
>
> >    This list has warned in the past and I will warn you as well.
> >
> >                idp.authn.flows= MFA|Duo|Password
> >
> >   This line is enabling a possible MFA bypass in your IdP.
>
> That's correct, that documentation is wrong.
>
> >    My IdP only has idp.authn.flows=MFA
>
> Using the MFA feature generally involves enabling only that flow. In rare
> cases, when there are "other" methods unrelated to the MFA rules such as
> X.509 or SPNEGO, you might have them both active, but generally that's
> going to cause problems later and it's best to control the combination of
> options directly with the MFA feature.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200728/e606afe2/attachment.htm>


More information about the users mailing list