Shibboleth Idp 4+ MFA: is Azure MFA possible? If so, how?

Peter Schober peter.schober at univie.ac.at
Mon Nov 16 09:45:16 UTC 2020 

* Vincent Feyaerts <vincent.feyaerts at uantwerpen.be> [2020-11-16 09:25]:
> Currently we have a Shibboleth IdP 3.x running with Microsoft ADFS
> as slave for Microsoft Products like Office 365. We're upgrading to
> Shib IdP 4 soon.  Since we are an educational institution, I don't
> think it's realistic to have it reversed, where Shibboleth is the
> slave and ADFS is the master.

What do you mean with "slave" and "master" in this context?
If I had to guess I'd say "master" is the IDP that performs
authentication (and provides the login UI), and "slave" is an IDP
that's also an SP (so is a proxy) connected to the other IDP.
But from your speculation about possible scenarios you're using those
terms with a meaning opposite to what I described, I think.
Yet another reason to avoid those terms altogether.

> We've done some extensive finetuning for SP's that have special
> requirements, and we are part of a number of federations with their
> own requirements, I don't think we can emulate that IdP behaviour
> with ADFS.

Obviously (?) you'd try to use both products where they work best.
I.e., federation participation and anything that needs scalable trust
and policies (Shibboleth) vs. bilateral integrations with vendor
lock-in (Microsoft ADFS/Azure/etc).

> And more importantly, can we assume that they will continue to
> provide this API?

I don't see how anyone on this list would be able to meaningfully
confirm or deny what Microsoft's plans are here.
(Personally I don't even think that you could rely on Microsoft
telling you that mid-term, but that's another issue.)

> In the past I read somewhere the following statement: Microsoft
> doesn't want to integrate with our IdP, they want to be your IdP :)
> Was that true? And is it still true?

Again, how should anyone here be able to authoritatively tell you "what
Microsoft wants"?

FWIW, the above statement sounds trivially true to me (and the same
goes for the other Internet Monopolists) but then I don't know one bit
about Microsoft of their plans or products or service offerings.

-peter

More information about the users mailing list