Hello Dataverse community,
For those of you running Shibboleth with the InCommon Federation: has anyone successfully implemented MFA as a "preferred" requirement for federated IdPs while allowing fall-back authentication for IdPs which don't have MFA configured?
An authnContextClassRef="
https://refeds.org/profile/mfa" requires MFA (fine) but if I make authnContextClassRef a list: "
https://refeds.org/profile/mfa urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" as best I can tell I'm stating that either method is acceptable, and so I'm not prompted for MFA on sign-in.
We don't currently require MFA but we may have to at some point and I'd love to iron this out. Your suggestions or experiences would be most welcome.
Thank you,
Don
(Odum Institute)