Giving an SP the authnContextClassRef they asked for
cantor.2 at osu.edu
Thu Jan 13 20:55:27 UTC 2022
On 1/13/22, 3:35 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
> If I map PPT to MFA, then any SP that explicitly requests PPT (which they shouldn't be doing, anyway) will
> end up requiring MFA. If a user isn't required to do MFA, they might not be able to log in to that service. But
> frankly, that would be a good indication that an SP is requesting PPT unnecessarily in which case we can yell at
That's kind of my point, it flushes out bugs but without doing all that much harm.
> If I really wanted to go through the trouble for just this SP, I could manually translate the PPT request into
> MFA with an authnContextTranslationStrategy bean, correct? Not that I think it's worth the effort. Just asking.
No, that's the reverse direction. We're talking about mapping requested values, that's a different hook as I posted earlier.
More information about the users