Giving an SP the authnContextClassRef they asked for

Wessel, Keith kwessel at
Thu Jan 13 18:46:48 UTC 2022

Most of our users always have to do MFA. This SP wants all users to have to do MFA. With the current setup, though, no users have to do MFA when logging into this SP because of the requested ACR.

The service owner has yelled at the vendor to fix this. There's absolutely no reason for the vendor to hard code any acr in their request. They either need to request nothing or make it possible for us to control what's requested.

My fix before, when we were using the MFA flow with built-in username and password, let me just remove password from the attribute that listed which methods the user could get through with if the request came from this SP, forcing the user to have to do MFA. This was until the vendor could fix their broken system.

Now that I'm no longer using a second factor script, that's no longer an option.

Is there any way to work around this until the vendor gets a clue? Can I map acrs for a specific relying party? Or can I create a translation strategy bean and associate it with this SP to essentially translate requests of PPT into MFA?

I realize the whole thing is terribly broken. I'm just trying to make it work until the vendor does the right thing.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Thursday, January 13, 2022 11:42 AM
To: Shib Users <users at>
Subject: Re: Giving an SP the authnContextClassRef they asked for

On 1/13/22, 12:40 PM, "users on behalf of Cantor, Scott" <users-bounces at on behalf of cantor.2 at> wrote:

>    Are you sure? What use case do you have to let an SP request bad 
> authentication? Do you really imagine that such an SP even understands what it's asking?

Or is your issue that you're not just imposing MFA widely so the majority of them don't get MFA? In which case, sorry, but I think you should just get that SP to fix itself and tell anyone that asks that the reason it doesn't get MFA is that it's demanding that you don't do it. If they care enough about the issue, then they should care enough to report the bug to the vendor.

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!stJNAjetg3JqrVP5sFEj6_5mMlILLZ7UbyzQ7amMGRhFsfPe7FpOrjLLSH2-kd_R5A$
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list