Shibboleth Idp 4+ MFA: is Azure MFA possible? If so, how?

Turner, Andrew P A.P.Turner at
Mon Nov 16 09:46:34 UTC 2020


We’re just rolling out Azure MFA and are in a similar situation to yourself.  We have Shibboleth doing lots of SSO and ADFS doing Azure AD/Office 365 + a growing number of other apps.

We took the decision a couple of years ago to go with Overt Software’s<> hosted (though I think you can run on-prem too if you prefer) Shibboleth IdP for which they have a “bridge<>” between Shib and Azure AD. This means you can point your Shib IdP at Azure AD for authentication, and hence benefit from Azure MFA.

They also have their own MFA solution that can be used with their IdP. If you went that route you could do the “bridging” the other way and use the Shib IdP to create a session on Azure AD for SSO to that too.

They also provide a great dashboard for reporting on and managing the config (and it integrates their MFA solution I think too). It’s also been very reasonably priced (for us at least) and I certainly wouldn’t go back to managing our own IdP installations.

We haven’t quite made the jump to use the bridge yet (as we don’t have consistent identities across the directory used by Shib and Azure AD) but we do plan to. I know at least one other Uni in the UK that have.

I’m sure other suppliers are also available 😊


Andrew Turner
Senior Infrastructure Analyst

Digital Technology Services
Sheffield Hallam University

From: users <users-bounces at> On Behalf Of Vincent Feyaerts
Sent: 16 November 2020 08:25
To: Shib Users <users at>
Subject: Shibboleth Idp 4+ MFA: is Azure MFA possible? If so, how?


Currently we have a Shibboleth IdP 3.x running with Microsoft ADFS as slave for Microsoft Products like Office 365. We’re upgrading to Shib IdP 4 soon. Since we are an educational institution, I don’t think it’s realistic to have it reversed, where Shibboleth is the slave and ADFS is the master. We’ve done some extensive finetuning for SP’s that have special requirements, and we are part of a number of federations with their own requirements, I don’t think we can emulate that IdP behaviour with ADFS.

So now we are looking into MFA. Duo is, from a Shibboleth perspective, by far the easiest to implement. It’s already there. But since we use a lot of Microsoft products, Azure MFA has been mentioned as well. This question has been asked before, but this information is old, and to be honest, the answers are not 100% clear. So, is there any realistic approach to integrating Azure MFA with a Shibboleth 4 IdP? This would be custom code I guess, to be developed by somebody we pay. But does Azure MFA even expose an API these days to make that possible? And more importantly, can we assume that they will continue to provide this API? Is anyone looking to implement such a solution?

In the past I read somewhere the following statement: Microsoft doesn’t want to integrate with our IdP, they want to be your IdP :) Was that true? And is it still true? I think Azure MFA will probably integrate great with ADFS and therefore Office and Teams and whatnot, I’m worried about the other non-MS stuff.

Another, unrelated question: is there any timeline for the release of IdP 4.1?

Thank you
Vincent Feyaerts
Network administrator
University of Antwerp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list