
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

That was it, was too quick to remove the code I had in relying-party.</div>

<div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div id="Signature">

<div>

<div></div>

<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">

<div style="font-family:Tahoma; font-size:13px">---

<div><span id="ms-rterangepaste-start"></span><span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Roberto Ullfig - rullfig@uic.edu</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Systems Administrator</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Enterprise Applications & Services | Technology Solutions</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">University of Illinois - Chicago</span>

<div><span id="ms-rterangepaste-end"></span></div>

</div>

</div>

</div>

</div>

</div>

</div>

<div id="appendonsend"></div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> users <users-bounces@shibboleth.net> on behalf of Ullfig, Roberto Alfredo <rullfig@uic.edu><br>

<b>Sent:</b> Friday, August 13, 2021 12:15 PM<br>

<b>To:</b> Shib Users <users@shibboleth.net><br>

<b>Subject:</b> Re: Forcing MFA for some SPs and not Others</font>

<div> </div>

</div>

<style type="text/css" style="display:none">

<!--

p

        {margin-top:0;

        margin-bottom:0}

-->

</style>

<div dir="ltr">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

I had been using relying-party before but wanted more control so moved everything entirely to mfa-authn-config.xml. I can try with some of the old relying party code again, thanks.</div>

<div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div id="x_Signature">

<div>

<div></div>

<div id="x_divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">

<div style="font-family:Tahoma; font-size:13px">---

<div><span id="x_ms-rterangepaste-start"></span><span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Roberto Ullfig - rullfig@uic.edu</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Systems Administrator</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">Enterprise Applications & Services | Technology Solutions</span><br style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">

<span style="font-family:arial,helvetica,sans-serif; font-size:13px; line-height:16.003px">University of Illinois - Chicago</span>

<div><span id="x_ms-rterangepaste-end"></span></div>

</div>

</div>

</div>

</div>

</div>

</div>

<div id="x_appendonsend"></div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> users <users-bounces@shibboleth.net> on behalf of Brian Moon via users <users@shibboleth.net><br>

<b>Sent:</b> Friday, August 13, 2021 12:11 PM<br>

<b>To:</b> Shib Users <users@shibboleth.net><br>

<b>Cc:</b> Brian Moon <bmoon@scu.edu><br>

<b>Subject:</b> Re: Forcing MFA for some SPs and not Others</font>

<div> </div>

</div>

<div>

<div dir="ltr">

<div class="x_x_gmail_default" style="font-family:arial,helvetica,sans-serif; font-size:small">

<div class="x_x_gmail_default">Hello Roberto,</div>

<div class="x_x_gmail_default"><br>

</div>

<div class="x_x_gmail_default">Check out this bit of documentation here: <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fspaces%2FKB%2Fpages%2F1474297850%2FSupporting%2Bthe%2BREFEDS%2BMFA%2BProfile&data=04%7C01%7Crullfig%40uic.edu%7C258bf517821b4285086108d95e7df309%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637644717300972742%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kzRqsYVnFdjgtwE%2ByLkXfdxSae77TaUeHPJXf9GQq6c%3D&reserved=0" originalsrc="https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1474297850/Supporting+the+REFEDS+MFA+Profile" shash="twiB6OVH6hCddLV1Ot8N+MxCkfpFcaKSw47ovf8DVES1QbMflsMFeyRRRfcBgLiGlImTyMeqYC3s//TNImQILcMV8QHR7sd0ScfsXfzTBan72tVr68NfTuZ7hokaaWBZbIt9K7hcgvDr7tyeG8gBD6TSSVby0QOzvQ2fWZNQj/A=" originalsrc="https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1474297850/Supporting+the+REFEDS+MFA+Profile" shash="nHmlrrnj3/jbHxD0sx0zhjc9vTJw5F+4EmicLa5luI8QCr3KgofbPD1QsCBM/Fkc0uFxjyTfHx/3Xm9PuJdg9rMsv/mRlkE0koFPpMff6BCa2Dth3dufUar1CZ8iHjR2fQScCj0CXBEst09mhMGsJvEkzFfRBUJQaYWAUjhd7jY=">

https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1474297850/Supporting+the+REFEDS+MFA+Profile</a></div>

<div class="x_x_gmail_default"><br>

</div>

<div class="x_x_gmail_default">Basically what you need to do is ensure that you are directing everything to the MFA flow.  Within the MFA flow, follow the example to check to see if a second factor is needed and then pass on control as needed.</div>

<div class="x_x_gmail_default"><br>

</div>

<div class="x_x_gmail_default">You will also need to ensure that you have the MFA principals defined and then use conf/relying-party.xml to require MFA for certain SPs.</div>

</div>

<div class="x_x_gmail_default" style="font-family:arial,helvetica,sans-serif; font-size:small">

<br>

</div>

<div class="x_x_gmail_default" style="font-family:arial,helvetica,sans-serif; font-size:small">

Hope that helps</div>

<div>

<div dir="ltr" class="x_x_gmail_signature">

<div dir="ltr">

<div dir="ltr"><font face="arial, helvetica, sans-serif"><br>

Brian Moon<br>

<font size="1">Senior System Administrator, Enterprise Systems</font></font></div>

<div dir="ltr"><font size="1"><font face="arial, helvetica, sans-serif">Santa Clara University</font></font></div>

</div>

</div>

</div>

<br>

</div>

<br>

<div class="x_x_gmail_quote">

<div dir="ltr" class="x_x_gmail_attr">On Fri, Aug 13, 2021 at 10:02 AM Wessel, Keith <<a href="mailto:kwessel@illinois.edu">kwessel@illinois.edu</a>> wrote:<br>

</div>

<blockquote class="x_x_gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">

<div lang="EN-US" style="">

<div class="x_x_gmail-m_-1375537791944571034WordSection1">

<p class="x_x_MsoNormal">That’s not true if you hve MFA configured properly. The second MFA should see that the currently satisfied authentication methods isn’t sufficient and should prompt the user for step-up authentication. That is, it’ll skip asking the

 user for their username and password again but will go straight to the MFA prompt.<u></u><u></u></p>

<p class="x_x_MsoNormal"><u></u> <u></u></p>

<p class="x_x_MsoNormal">Keith<u></u><u></u></p>

<p class="x_x_MsoNormal"><u></u> <u></u></p>

<p class="x_x_MsoNormal"><u></u> <u></u></p>

<div>

<div style="border-right:none; border-bottom:none; border-left:none; border-top:1pt solid rgb(225,225,225); padding:3pt 0in 0in">

<p class="x_x_MsoNormal"><b>From:</b> users <<a href="mailto:users-bounces@shibboleth.net" target="_blank">users-bounces@shibboleth.net</a>>

<b>On Behalf Of </b>Ullfig, Roberto Alfredo<br>

<b>Sent:</b> Friday, August 13, 2021 11:56 AM<br>

<b>To:</b> Shib Users <<a href="mailto:users@shibboleth.net" target="_blank">users@shibboleth.net</a>><br>

<b>Subject:</b> Forcing MFA for some SPs and not Others<u></u><u></u></p>

</div>

</div>

<p class="x_x_MsoNormal"><u></u> <u></u></p>

<div>

<p class="x_x_MsoNormal"><span style="font-size:12pt; color:black">Is there a way for Shibboleth to create different cookies for different SPs? For instance, if I force MFA on an application on the IDP side I can easily get around MFA by logging into another

 SP that doesn't require MFA first because I've already identified myself.<u></u><u></u></span></p>

</div>

<div>

<div>

<p class="x_x_MsoNormal"><span style="font-size:12pt; color:black"><u></u> <u></u></span></p>

</div>

<div id="x_x_gmail-m_-1375537791944571034Signature">

<div>

<div id="x_x_gmail-m_-1375537791944571034divtagdefaultwrapper">

<div>

<p class="x_x_MsoNormal" style="background:white"><span style="font-size:10pt; font-family:Tahoma,sans-serif; color:black">---

<u></u><u></u></span></p>

<div>

<p class="x_x_MsoNormal" style="background:white"><span style="font-size:10pt; font-family:Arial,sans-serif; color:black">Roberto Ullfig -

<a href="mailto:rullfig@uic.edu" target="_blank">rullfig@uic.edu</a><br>

Systems Administrator<br>

Enterprise Applications & Services | Technology Solutions<br>

University of Illinois - Chicago</span><span style="font-size:10pt; font-family:Tahoma,sans-serif; color:black">

<u></u><u></u></span></p>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

-- <br>

For Consortium Member technical support, see <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw__%3B!!MLMg-p0Z!WKibHMkiKehbRt_aA4QztTnM5sRY5yu43iAKRJPn2yGtdRNId64dO-3wEJMV%24&data=04%7C01%7Crullfig%40uic.edu%7C258bf517821b4285086108d95e7df309%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637644717300972742%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=LiLk0q5NstfLI39%2FAydfbI1p0C4kNnn3Sde3bweLJds%3D&reserved=0" originalsrc="https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!MLMg-p0Z!WKibHMkiKehbRt_aA4QztTnM5sRY5yu43iAKRJPn2yGtdRNId64dO-3wEJMV$" shash="zJ6bkFQSS2XGM3JR0aVEyZBn7hMzwnAzUVM/pm7352c7r699CtO1ASZ77rEijV0aSFC8iykchLV5ylQ8Zs3fYcuMsK50lN6tVy7whJ6RaudMnL2BEY1dK3aHPDJQPTr1gnjzXd6an0dmy0IJ9A/+Kr+sVpee7HkDist2Dnz5qJE=" originalsrc="https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!MLMg-p0Z!WKibHMkiKehbRt_aA4QztTnM5sRY5yu43iAKRJPn2yGtdRNId64dO-3wEJMV$" shash="LHDQheB09osMUQd9iM0D+tiqFjNB1kFQ9b4+gFTQdi+k7LXrT41+qDitPfIuuvUgcACrl1LjllholNE+pQ0eoBnpttGvPze4keMwZFQym6jNMx9BNIO/R9HC10v48BRgPavFJuqaLakpraD9YBeKvD4tBTnQdjpfHDcLuEU3AFY=" rel="noreferrer" target="_blank">

https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!MLMg-p0Z!WKibHMkiKehbRt_aA4QztTnM5sRY5yu43iAKRJPn2yGtdRNId64dO-3wEJMV$</a>

<br>

To unsubscribe from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net" target="_blank">

users-unsubscribe@shibboleth.net</a><br>

</blockquote>

</div>

</div>

</div>

</body>

</html>