Include inside SAML assertions whether a user has gone through mfa


I was wondering, is there a way to detect whether or not a user has gone through MFA?

It would be pretty awesome to then be able to attach that as a SAML assertion.

I couldn’t find anything inside the expression language documentation so I wanted to see whether it is documented elsewhere or whether it is just not feasible.



The correct way to achieve this with SAML is with Authentication Context Classes via <AuthnContextClassRef> as part of the <AuthnStatement>. There are standard class references defined by SAML spec that describe how a user authenticated at the IdP such as urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered. Unfortunately this is not supported at this time and we don’t have any current roadmap plans to add support.

We do however support passing authentication methods with OpenID Connect with the amr claim using methods defined in This happens automatically when issuing an ID Token.

Additionally, we also publish the user’s AMRs via the Sessions API. This can be retrieved with a CORS call to /sessions/me.