Forcing MFA for some SPs and not Others

Fri Aug 13 17:15:16 UTC 2021

I had been using relying-party before but wanted more control so moved everything entirely to mfa-authn-config.xml. I can try with some of the old relying party code again, thanks.

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Brian Moon via users <users at shibboleth.net>
Sent: Friday, August 13, 2021 12:11 PM
To: Shib Users <users at shibboleth.net>
Cc: Brian Moon <bmoon at scu.edu>
Subject: Re: Forcing MFA for some SPs and not Others

Hello Roberto,

Check out this bit of documentation here: https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1474297850/Supporting+the+REFEDS+MFA+Profile<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fspaces%2FKB%2Fpages%2F1474297850%2FSupporting%2Bthe%2BREFEDS%2BMFA%2BProfile&data=04%7C01%7Crullfig%40uic.edu%7C253f13b8477b4176a01d08d95e7d664a%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637644714952164662%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=m%2FhRLsSr9MOJa4MAYh4kRyS1NI%2BKn959zIjKpee1750%3D&reserved=0>

Basically what you need to do is ensure that you are directing everything to the MFA flow.  Within the MFA flow, follow the example to check to see if a second factor is needed and then pass on control as needed.

You will also need to ensure that you have the MFA principals defined and then use conf/relying-party.xml to require MFA for certain SPs.

Hope that helps

Brian Moon
Senior System Administrator, Enterprise Systems
Santa Clara University

On Fri, Aug 13, 2021 at 10:02 AM Wessel, Keith <kwessel at illinois.edu<mailto:kwessel at illinois.edu>> wrote:

That’s not true if you hve MFA configured properly. The second MFA should see that the currently satisfied authentication methods isn’t sufficient and should prompt the user for step-up authentication. That is, it’ll skip asking the user for their username and password again but will go straight to the MFA prompt.

Keith

From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> On Behalf Of Ullfig, Roberto Alfredo
Sent: Friday, August 13, 2021 11:56 AM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Forcing MFA for some SPs and not Others

Is there a way for Shibboleth to create different cookies for different SPs? For instance, if I force MFA on an application on the IDP side I can easily get around MFA by logging into another SP that doesn't require MFA first because I've already identified myself.

---

Roberto Ullfig - rullfig at uic.edu<mailto:rullfig at uic.edu>
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago

--
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!MLMg-p0Z!WKibHMkiKehbRt_aA4QztTnM5sRY5yu43iAKRJPn2yGtdRNId64dO-3wEJMV$<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw__%3B!!MLMg-p0Z!WKibHMkiKehbRt_aA4QztTnM5sRY5yu43iAKRJPn2yGtdRNId64dO-3wEJMV%24&data=04%7C01%7Crullfig%40uic.edu%7C253f13b8477b4176a01d08d95e7d664a%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637644714952164662%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o%2BbgTh8%2Bb%2Bgh9FKrXulMMzNwXoEwK5VX0K6PVBcLb7U%3D&reserved=0>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210813/8f484324/attachment.htm>