robot access to SP website

Cantor, Scott cantor.2 at
Wed Jun 23 14:39:02 UTC 2021

>    (1) might be ruled out by the semantics of what's available in the protocol, but it seems like (2) might be
> possible?

Very difficult IMHO, and beyond the capability of most deployers and applications and beyond the will of most that could.

> With that said, it's fine to do it on the IDP side. Could we do that for this robot if we wanted to?

If it's a dedicated user identity I suppose, and you really wanted to round trip a robot through an IdP, which seems like a bad idea to me to start with.

Another way would be to configure the SP to request and require MFA, but have the robot trigger its login by overriding the authnContextClassRef on the /Shibboleth.sso/Login URL so the SP doesn't request MFA and adjust the require rules to permit the non-MFA context class if and only if the identity is that of the robot. i.e. move the special case from the IdP to the SP.

As an IdP operator, I would categorically not do the work to exempt a robot identity for a single service if it wasn't a generic thing we had support for, e.g. tagging all monitoring identities in IDM so I could build a general rule.

-- Scott

More information about the users mailing list