Forcing MFA for some SPs and not Others

Brian Moon bmoon at scu.edu
Fri Aug 13 17:11:13 UTC 2021 

Hello Roberto,

Check out this bit of documentation here:
https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1474297850/Supporting+the+REFEDS+MFA+Profile

Basically what you need to do is ensure that you are directing everything
to the MFA flow.  Within the MFA flow, follow the example to check to see
if a second factor is needed and then pass on control as needed.

You will also need to ensure that you have the MFA principals defined and
then use conf/relying-party.xml to require MFA for certain SPs.

Hope that helps

Brian Moon
Senior System Administrator, Enterprise Systems
Santa Clara University


On Fri, Aug 13, 2021 at 10:02 AM Wessel, Keith <kwessel at illinois.edu> wrote:

> That’s not true if you hve MFA configured properly. The second MFA should
> see that the currently satisfied authentication methods isn’t sufficient
> and should prompt the user for step-up authentication. That is, it’ll skip
> asking the user for their username and password again but will go straight
> to the MFA prompt.
>
>
>
> Keith
>
>
>
>
>
> *From:* users <users-bounces at shibboleth.net> *On Behalf Of *Ullfig,
> Roberto Alfredo
> *Sent:* Friday, August 13, 2021 11:56 AM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* Forcing MFA for some SPs and not Others
>
>
>
> Is there a way for Shibboleth to create different cookies for different
> SPs? For instance, if I force MFA on an application on the IDP side I can
> easily get around MFA by logging into another SP that doesn't require MFA
> first because I've already identified myself.
>
>
>
> ---
>
> Roberto Ullfig - rullfig at uic.edu
> Systems Administrator
> Enterprise Applications & Services | Technology Solutions
> University of Illinois - Chicago
> --
> For Consortium Member technical support, see
> https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!MLMg-p0Z!WKibHMkiKehbRt_aA4QztTnM5sRY5yu43iAKRJPn2yGtdRNId64dO-3wEJMV$
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210813/b72bece5/attachment.htm>

More information about the users mailing list