Supporting different authnContextClassRef on the same SP?

Cantor, Scott cantor.2 at
Wed Aug 18 18:55:48 UTC 2021

On 8/18/21, 2:29 PM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at on behalf of rullfig at> wrote:

>    That won't work though if I access another directory on the server first (which doesn't require MFA). Is there
> a way around that or not? Thanks!

Not a practical one.

The bad answer is to use overrides, which are a nightmare and completely beyond the capability of most anybody but me and I have given up trying to help that. They don't make sense to people and I can't document them any better than I have, so it's a standoff.

Another answer is, this is the app's job, people can't be delegating all this to the SP. Redirects into /Login with the desired context class and handling access within the application is the most practical way to do this sort of thing.

-- Scott

More information about the users mailing list