Forcing MFA for some SPs and not Others
bmoon at scu.edu
Fri Aug 13 17:11:13 UTC 2021
Check out this bit of documentation here:
Basically what you need to do is ensure that you are directing everything
to the MFA flow. Within the MFA flow, follow the example to check to see
if a second factor is needed and then pass on control as needed.
You will also need to ensure that you have the MFA principals defined and
then use conf/relying-party.xml to require MFA for certain SPs.
Hope that helps
Senior System Administrator, Enterprise Systems
Santa Clara University
On Fri, Aug 13, 2021 at 10:02 AM Wessel, Keith <kwessel at illinois.edu> wrote:
> That’s not true if you hve MFA configured properly. The second MFA should
> see that the currently satisfied authentication methods isn’t sufficient
> and should prompt the user for step-up authentication. That is, it’ll skip
> asking the user for their username and password again but will go straight
> to the MFA prompt.
> *From:* users <users-bounces at shibboleth.net> *On Behalf Of *Ullfig,
> Roberto Alfredo
> *Sent:* Friday, August 13, 2021 11:56 AM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* Forcing MFA for some SPs and not Others
> Is there a way for Shibboleth to create different cookies for different
> SPs? For instance, if I force MFA on an application on the IDP side I can
> easily get around MFA by logging into another SP that doesn't require MFA
> first because I've already identified myself.
> Roberto Ullfig - rullfig at uic.edu
> Systems Administrator
> Enterprise Applications & Services | Technology Solutions
> University of Illinois - Chicago
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users