Forcing MFA for some SPs and not Others

Brian Moon bmoon at
Fri Aug 13 17:11:13 UTC 2021

Hello Roberto,

Check out this bit of documentation here:

Basically what you need to do is ensure that you are directing everything
to the MFA flow.  Within the MFA flow, follow the example to check to see
if a second factor is needed and then pass on control as needed.

You will also need to ensure that you have the MFA principals defined and
then use conf/relying-party.xml to require MFA for certain SPs.

Hope that helps

Brian Moon
Senior System Administrator, Enterprise Systems
Santa Clara University

On Fri, Aug 13, 2021 at 10:02 AM Wessel, Keith <kwessel at> wrote:

> That’s not true if you hve MFA configured properly. The second MFA should
> see that the currently satisfied authentication methods isn’t sufficient
> and should prompt the user for step-up authentication. That is, it’ll skip
> asking the user for their username and password again but will go straight
> to the MFA prompt.
> Keith
> *From:* users <users-bounces at> *On Behalf Of *Ullfig,
> Roberto Alfredo
> *Sent:* Friday, August 13, 2021 11:56 AM
> *To:* Shib Users <users at>
> *Subject:* Forcing MFA for some SPs and not Others
> Is there a way for Shibboleth to create different cookies for different
> SPs? For instance, if I force MFA on an application on the IDP side I can
> easily get around MFA by logging into another SP that doesn't require MFA
> first because I've already identified myself.
> ---
> Roberto Ullfig - rullfig at
> Systems Administrator
> Enterprise Applications & Services | Technology Solutions
> University of Illinois - Chicago
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list