Giving an SP the authnContextClassRef they asked for
Cantor, Scott
cantor.2 at osu.edu
Thu Jan 13 20:55:27 UTC 2022
On 1/13/22, 3:35 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
> If I map PPT to MFA, then any SP that explicitly requests PPT (which they shouldn't be doing, anyway) will
> end up requiring MFA. If a user isn't required to do MFA, they might not be able to log in to that service. But
> frankly, that would be a good indication that an SP is requesting PPT unnecessarily in which case we can yell at
> them.
That's kind of my point, it flushes out bugs but without doing all that much harm.
> If I really wanted to go through the trouble for just this SP, I could manually translate the PPT request into
> MFA with an authnContextTranslationStrategy bean, correct? Not that I think it's worth the effort. Just asking.
No, that's the reverse direction. We're talking about mapping requested values, that's a different hook as I posted earlier.
-- Scott
More information about the users
mailing list