Forcing MFA for some SPs and not Others

Cantor, Scott cantor.2 at
Fri Aug 13 18:47:59 UTC 2021

On 8/13/21, 2:38 PM, "users on behalf of Brian Moon via users" <users-bounces at on behalf of users at> wrote:

>    The behavior you're describing reminds of what we experienced years ago when setting this up.  I found that
> I needed to set these as follows:
>    * idp.authn.flows = MFA
>    * idp.authn.favorSSO = false

The former is certainly required, there's never been anything but loud warnings about that, but the second doesn't generally matter much.

It's more a historical artifact from the pre-3.3 releases and how they did some of the stuff that the MFA flow is better suited for now. The MFA flow does nothing with that setting and it won't matter unless there are multiple login flows enabled in the first property either. In other words, your problem would have been that one itself, not the second one.

-- Scott

More information about the users mailing list