Multi-factor authentication (MFA)

HEAnet Newsletter
Issue 1 – April 2019

HEAnet extends its Shibboleth Identity Provider (IdP) service to integrate with Azure MFA as part of its Hosted or Managed IdP service.

When it comes to password management and the associated security risks – the benefits of Single-Sign-On (SSO) are well known. So, when considering MFA, it makes good sense to have a single MFA system that can be used to access multiple services.

For many of our client institutions, HEAnet’s Shibboleth IdP service is the only SSO system deployed and SSO relies on passwords held on campus within AD (Active Directory) or LDAP (lightweight directory access protocol).

Having identified that adding support for MFA to the Shibboleth IdP service would improve or compliment campus identity management services (IdM), and the fact that Microsoft’s Azure MFA was on the horizon for many institutions –  HEAnet has extended its Shibboleth IdP service to integrate with Azure MFA as part of our Hosted or Managed IdP service.

This feature builds on the work already completed on Open ID Connect (OIDC) – resulting in a repeatable design that passes responsibility for authentication to OIDC services like Azure AD, allows a change of MFA vendor at a later stage and authenticates users by password if not enabled for MFA.

The Shibboleth IdP can also revert to on-campus LDAP authentication in the event of a vendor MFA outage.

For more information on MFA or any of our other Middleware services please contact

Posted in: