Shibboleth Idp 4+ MFA: is Azure MFA possible? If so, how?

Turner, Andrew P A.P.Turner at
Mon Nov 16 12:34:42 UTC 2020


I think you may have misunderstood (unless of course I have since I’ve not actually used it yet!).

My understanding of the flow is:

  *   an SP directs user to their Shib IdP (or they do IdP initiated auth)
  *   If the user doesn’t have a Shib session, the Shib IdP sends user to Azure AD for authentication purposes (inc MFA if applicable)
  *   Shib IdP receives authentication result
  *   Shib IdP sends SAML Response to SP

The Shib IdP is simply authenticating the user against Azure AD rather than traditional LDAP/others. The Shib IdP is acting like an SP to the Azure AD IdP.

I’m sure Overt can do a better job of explaining than I can though! 😊

I appreciate this isn’t a direct answer to Vincent’s problem (i.e. how to integrate Azure MFA directly in to Shib auth process), but it is an alternative way to do this probably worth consideration.

I really can’t say enough about how much value we’ve had from moving to using Overt’s hosted solution.  The dashboard makes so many tasks easier, they do any required upgrades and patches, they have developed it at zero cost based on my own feedback and their support has been excellent and often goes beyond what many others would provide for the same cost. By the way, I am in no way affiliated with them or get any incentives – I’m just a happy customer who already has way too many things to do and this saves me time 😊

Hope this helps


Andrew Turner
Senior Infrastructure Analyst

Digital Technology Services
Sheffield Hallam University

From: users <users-bounces at> On Behalf Of Joseph Fischetti
Sent: 16 November 2020 12:18
To: Shib Users <users at>
Subject: Re: Shibboleth Idp 4+ MFA: is Azure MFA possible? If so, how?

CAUTION: This message was sent from outside the University, purportedly from users-bounces at<mailto:users-bounces at> .

Please check the sender is legitimate before responding. Please treat any links or attachments with care -  do not follow or open them unless you are sure they are genuine.

In the scenario that Andy describes, Microsoft is still running your IdP, they're just delegating authentication to your shibboleth IdP.
This doesn't necessarily accomplish what the original poster was looking for. Any SP pointed to Shib will not be protected with MFA. Only those pointed to Azure will get MFA prompted.
At this point in time, I do believe Duo is the only turn key solution. I had developed a plugin (pre 4.0) so the IdP could do native TOTP MFA. It worked well, but with it comes all sorts of other token management issues you would have to deal with.
From: users <users-bounces at<mailto:users-bounces at>> on behalf of Turner, Andrew P <A.P.Turner at<mailto:A.P.Turner at>>
Sent: Monday, November 16, 2020 4:46:34 AM
To: Shib Users <users at<mailto:users at>>
Subject: RE: Shibboleth Idp 4+ MFA: is Azure MFA possible? If so, how?



We’re just rolling out Azure MFA and are in a similar situation to yourself.  We have Shibboleth doing lots of SSO and ADFS doing Azure AD/Office 365 + a growing number of other apps.

We took the decision a couple of years ago to go with Overt Software’s<> hosted (though I think you can run on-prem too if you prefer) Shibboleth IdP for which they have a “bridge<>” between Shib and Azure AD. This means you can point your Shib IdP at Azure AD for authentication, and hence benefit from Azure MFA.

They also have their own MFA solution that can be used with their IdP. If you went that route you could do the “bridging” the other way and use the Shib IdP to create a session on Azure AD for SSO to that too.

They also provide a great dashboard for reporting on and managing the config (and it integrates their MFA solution I think too). It’s also been very reasonably priced (for us at least) and I certainly wouldn’t go back to managing our own IdP installations.

We haven’t quite made the jump to use the bridge yet (as we don’t have consistent identities across the directory used by Shib and Azure AD) but we do plan to. I know at least one other Uni in the UK that have.

I’m sure other suppliers are also available 😊



Andrew Turner

Senior Infrastructure Analyst

Digital Technology Services

Sheffield Hallam University

From: users <users-bounces at<mailto:users-bounces at>> On Behalf Of Vincent Feyaerts
Sent: 16 November 2020 08:25
To: Shib Users <users at<mailto:users at>>
Subject: Shibboleth Idp 4+ MFA: is Azure MFA possible? If so, how?


Currently we have a Shibboleth IdP 3.x running with Microsoft ADFS as slave for Microsoft Products like Office 365. We’re upgrading to Shib IdP 4 soon. Since we are an educational institution, I don’t think it’s realistic to have it reversed, where Shibboleth is the slave and ADFS is the master. We’ve done some extensive finetuning for SP’s that have special requirements, and we are part of a number of federations with their own requirements, I don’t think we can emulate that IdP behaviour with ADFS.

So now we are looking into MFA. Duo is, from a Shibboleth perspective, by far the easiest to implement. It’s already there. But since we use a lot of Microsoft products, Azure MFA has been mentioned as well. This question has been asked before, but this information is old, and to be honest, the answers are not 100% clear. So, is there any realistic approach to integrating Azure MFA with a Shibboleth 4 IdP? This would be custom code I guess, to be developed by somebody we pay. But does Azure MFA even expose an API these days to make that possible? And more importantly, can we assume that they will continue to provide this API? Is anyone looking to implement such a solution?

In the past I read somewhere the following statement: Microsoft doesn’t want to integrate with our IdP, they want to be your IdP :) Was that true? And is it still true? I think Azure MFA will probably integrate great with ADFS and therefore Office and Teams and whatnot, I’m worried about the other non-MS stuff.

Another, unrelated question: is there any timeline for the release of IdP 4.1?

Thank you

Vincent Feyaerts

Network administrator

University of Antwerp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list