Require MFA when using SSO + External idP

As stated in AWS Documentation[1] above you need to configure IDP[2] for MFA, rather than using AWS Console. I suggest you follow official doc from IDP provider

Here is outline for setting up AWS MFA with an external identity provider (IdP):

1. In AWS IAM, create an IAM role that will be used to give access to your AWS resources. Grant this role the permissions it needs.
2. In your external IdP (e.g. Okta, Azure AD), configure AWS as a service provider application.
3. When adding the app, you will need to provide the AWS IAM role ARN that you created. This links the IdP to that IAM role.
4. Configure your IdP to use MFA for users. This could be Okta Verify, Google Authenticator, etc based on your IdP.
5. Assign users to the AWS app in the IdP. When they sign in with MFA and are authenticated, they will assume the IAM role in AWS and gain access.
6. The AWS IAM role trusts the external IdP to authenticate users. The role does not have direct password access itself.
7. Make sure to restrict access to the AWS Management Console in IAM if you only want to allow programmatic access via the role.

So in summary, the external IdP handles authentication and MFA, and the AWS role handles authorization based on permissions granted. The two are linked via the external ID provided when creating the IAM role.

Reference: [1] - https://docs.aws.amazon.com/singlesignon/latest/userguide/mfa-enable-how-to.html [2]- Okta example https://help.okta.com/en-us/content/topics/security/mfa/mfa-factors.htm

Unfortunately, no. The document you link to says right at the top that the MFA section will be missing if you use an external IdP.

This AWS document expands on the limitation:

You can use IAM Identity Center’s multi-factor authentication capabilities when your identity source is configured with IAM Identity Center’s identity store, AWS Managed Microsoft AD, or AD Connector. MFA in IAM Identity Center is currently not supported for use by external identity providers.

I am asking the saml2 admins if they can make it request MFA on their end, but my understanding is that the SAML request coming from AWS is what normally would do that. I found a piece of documentation from Atlassian that might help:

SAML includes an optional feature during login requests called <RequestedAuthnContext> that acts as a signal to the Identity Provider to require a particular kind of authentication be used, instead of the default of leaving the decision up to the IdP. This feature is generic, but the most common use case for this feature tends to be requiring the use of some form of MFA.

When I use shibboleth from apache, that's what I do. This is how I have an Apache with some areas that require MFA and others that don't. In Apache you configure this as:

<RequireAll>
    Require authnContextClassRef "https://refeds.org/profile/mfa"
    Require shib-session
</RequireAll>

so I think what really need to happen here is that cognito either on its own, because of the idp configuration on the amazon side, or beacuse identity told it, it needs to make the SAML request with the context class set to https://refeds.org/profile/mfa -- does that make sense?

--C

UPDATE: I talked to our Shibboleth administrator to make sure I got the ideas here right, and I'm convinced I do. Yes, we CAN force MFA on the identity provider side but that's not the right way to do this. The correct way is that the SP (Cognito) has a way to signal that you want MFA on the idP side, then when the SP (cognito) makes the request it specifies an AuthnContext of http://rit.edu/ac/classes/mfa .

I would like to escalate this as a pretty important feature request into Cognito. Is there something I can do here to facilitate that?