Forcing MFA for some SPs and not Others
Mak, Steve
makst at upenn.edu
Fri Aug 13 18:53:53 UTC 2021
> For instance, if I force MFA on an application on the IDP side I can easily get around MFA by logging into another SP that doesn't require MFA first because I've already identified myself.
https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631610/MultiFactorAuthnConfiguration#Reuse-of-the-Entire-authn/MFA-Flow-Result-(When-Is-a-MFA-Next-Flow-Strategy-Executed?)
Reuse of the Entire authn/MFA Flow Result (When Is a MFA Next Flow Strategy Executed?)
As with any other login flow, if the IdP determines that an active MFA flow result with a particular principal satisfies a request it will reuse the entire MFA result with that principal. As such the IdP will not rerun the authn/MFA flow and any logic in a next flow strategy in the transition map will not have a chance to execute a second time for that user.
The IdP may, however, be configured so that the IdP runs the MFA flow and executes the next flow strategy logic even if the result would normally satisfy the request.
There is an explicit property you can set on the login flow descriptor bean in authn/general-authn.xml (V4.0), or by defining a bean and setting a corresponding idp.authn.MFA.reuseCondition property (V4.1+) that attaches a second kind of condition logic to the login flows called a "reuse condition".
More information about the users
mailing list