Forcing MFA for some SPs and not Others
cantor.2 at osu.edu
Fri Aug 13 18:47:59 UTC 2021
On 8/13/21, 2:38 PM, "users on behalf of Brian Moon via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
> The behavior you're describing reminds of what we experienced years ago when setting this up. I found that
> I needed to set these as follows:
> * idp.authn.flows = MFA
> * idp.authn.favorSSO = false
The former is certainly required, there's never been anything but loud warnings about that, but the second doesn't generally matter much.
It's more a historical artifact from the pre-3.3 releases and how they did some of the stuff that the MFA flow is better suited for now. The MFA flow does nothing with that setting and it won't matter unless there are multiple login flows enabled in the first property either. In other words, your problem would have been that one itself, not the second one.
More information about the users