Forcing MFA for some SPs and not Others

Wessel, Keith kwessel at
Fri Aug 13 17:02:11 UTC 2021

That's not true if you hve MFA configured properly. The second MFA should see that the currently satisfied authentication methods isn't sufficient and should prompt the user for step-up authentication. That is, it'll skip asking the user for their username and password again but will go straight to the MFA prompt.


From: users <users-bounces at> On Behalf Of Ullfig, Roberto Alfredo
Sent: Friday, August 13, 2021 11:56 AM
To: Shib Users <users at>
Subject: Forcing MFA for some SPs and not Others

Is there a way for Shibboleth to create different cookies for different SPs? For instance, if I force MFA on an application on the IDP side I can easily get around MFA by logging into another SP that doesn't require MFA first because I've already identified myself.

Roberto Ullfig - rullfig at<mailto:rullfig at>
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list