robot access to SP website

Jerry Shipman jes59 at
Wed Jun 23 14:29:34 UTC 2021

> How could the SP know which is which when it doesn't know who the user is before they've already

> logged in? That doesn't really work. Those kinds of rules are handled by the IdP generally.

I think when we did it in our legacy SSO, we used two methods:

1) the SP-analog can say as part of the initial request: "if the user is in one of the following AD groups, do two factor."

2) do two trips. The first trip does a default AuthnContextClassRef-analog login to get the username/attributes, then looks at those. if it decides it needs MFA, it would then do a second trip during which the IDP-analog prompts for the second factor.

(1) might be ruled out by the semantics of what's available in the protocol, but it seems like (2) might be possible?

With that said, it's fine to do it on the IDP side. Could we do that for this robot if we wanted to?

Thank you,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list