Shibboleth Idp 4+ MFA: is Azure MFA possible? If so, how?

Vincent Feyaerts vincent.feyaerts at
Mon Nov 16 08:25:16 UTC 2020



Currently we have a Shibboleth IdP 3.x running with Microsoft ADFS as slave
for Microsoft Products like Office 365. We're upgrading to Shib IdP 4 soon.
Since we are an educational institution, I don't think it's realistic to
have it reversed, where Shibboleth is the slave and ADFS is the master.
We've done some extensive finetuning for SP's that have special
requirements, and we are part of a number of federations with their own
requirements, I don't think we can emulate that IdP behaviour with ADFS.


So now we are looking into MFA. Duo is, from a Shibboleth perspective, by
far the easiest to implement. It's already there. But since we use a lot of
Microsoft products, Azure MFA has been mentioned as well. This question has
been asked before, but this information is old, and to be honest, the
answers are not 100% clear. So, is there any realistic approach to
integrating Azure MFA with a Shibboleth 4 IdP? This would be custom code I
guess, to be developed by somebody we pay. But does Azure MFA even expose an
API these days to make that possible? And more importantly, can we assume
that they will continue to provide this API? Is anyone looking to implement
such a solution?


In the past I read somewhere the following statement: Microsoft doesn't want
to integrate with our IdP, they want to be your IdP :) Was that true? And is
it still true? I think Azure MFA will probably integrate great with ADFS and
therefore Office and Teams and whatnot, I'm worried about the other non-MS


Another, unrelated question: is there any timeline for the release of IdP


Thank you

Vincent Feyaerts

Network administrator

University of Antwerp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6855 bytes
Desc: not available
URL: <>

More information about the users mailing list