robot access to SP website
Peter Schober
peter.schober at univie.ac.at
Wed Jun 23 14:18:09 UTC 2021
* Cantor, Scott <cantor.2 at osu.edu> [2021-06-23 15:53]:
> On 6/23/21, 9:32 AM, "users on behalf of Jerry Shipman" <users-bounces at shibboleth.net on behalf of jes59 at cornell.edu> wrote:
> > I can think of other semi-reasonable use cases in which the
> > capability to do this in the SAML would make sense, though. e.g.:
> > "administrative users [in this given group or role] have to MFA,
> > but end users can do whatever" or "students and employees have to
> > MFA, but alumni can do whatever".
>
> How could the SP know which is which when it doesn't know who the
> user is before they've already logged in? That doesn't really
> work. Those kinds of rules are handled by the IdP generally.
Or the application (enforcing step-up authentication with a different
authentication request sent to the IDP)?
-peter
More information about the users
mailing list