0

I have an application that is a SAML SP, authenticating users via inbound SAML assertions from some other IdP.

If I want to require multi-factor auth, is it a common practice to add multi-factor auth on the SAML SP side, on top of validating the incoming SAML assertion? Or is it more typical to expect MFA to be implemented in the SAML IdP where the user is directly authenticated?

And is there a standard way to tell whether a user with authenticated with MFA or username/password alone by looking at the claims in the SAML assertion? Or does this depend on the exact IdP implementation?

wrschneider
  • 161
  • 1
  • 2
  • 1
    My experience is that most federation partnerships are the SP divesting themselves of the responsibility of determining who the actual user is - that is, the act of "authentication". Why are you, as the SP, determining how the user should be authenticated (that's not your job)? Do you have some regulatory requirement or something similar? – Andrew K. Feb 11 '20 at 22:15
  • Exactly, a mandate for MFA. Wondering if such mandates are best addressed by pushing that requirement to the IdP somehow. – wrschneider Feb 12 '20 at 15:47
  • 1
    If *you* have a regulatory mandate that your users perform MFA, then I think it is reasonable to push that requirement back to the IdP in the case of federated users. I will say, however, that it's exceedingly rare for SPs to do that, because there's no real way to enforce it. I would recommend that you, as the SP, put the MFA requirement on them contractually, and continue to accept their assertions. – Andrew K. Feb 12 '20 at 19:14

0 Answers0