There are still many cases in which it becomes necessary to force the use of specific login methods due to lack of support on the SP side. This can be achieved on the IdP in different ways:
- by overriding the SP in the relying-party.xml using the defaultAuthenticationMethods property.
- by writing code in an MFA transition script in mfa-authn-config.xml
Relying party method
This is the simplest method, but provides no fine-grain control. More information can be found in Shibboleth's documentation: https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199508270/ProfileConfiguration-Authentication
The latest example version is published at https://mds.swamid.se/entity-configurations/Shibboleth-IdP/v5/relying-party.xml and is also shown below.
| Html-bobswift | ||||
|---|---|---|---|---|
| ||||
MFA authn config method
Using an inlineScript to check the MFA context is described in the Shibboleth wiki at https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505534/MultiFactorAuthnConfiguration.
This provides more powerful and fine-grained control than the relying-party method.
Here are some examples of how the standard script provided by Shibboleth can be extended to decide if MFA should be required based upon:
- the network the user is connecting from
- group membership
- attribute values
The code examples have been generously contributed by Högskolan i Borås.
The latest version is published at https://mds.swamid.se/entity-configurations/Shibboleth-IdP/v5/mfa-authn-config.xml and is also shown below.
| Html-bobswift | ||||
|---|---|---|---|---|
| ||||