robot access to SP website

Peter Schober peter.schober at
Wed Jun 23 14:18:09 UTC 2021

* Cantor, Scott <cantor.2 at> [2021-06-23 15:53]:
> On 6/23/21, 9:32 AM, "users on behalf of Jerry Shipman" <users-bounces at on behalf of jes59 at> wrote:
> >    I can think of other semi-reasonable use cases in which the
> > capability to do this in the SAML would make sense, though. e.g.:
> > "administrative users [in this given group or role] have to MFA,
> > but end users can do whatever" or "students and employees have to
> > MFA, but alumni can do whatever".
> How could the SP know which is which when it doesn't know who the
> user is before they've already logged in? That doesn't really
> work. Those kinds of rules are handled by the IdP generally.

Or the application (enforcing step-up authentication with a different
authentication request sent to the IDP)?


More information about the users mailing list