Skip to main content Skip to section navigation
U.S. flag

An official website of the United States government

Multi-factor authentication

Users can authenticate to either via a SAML IDP managed by their agency or, if their agency has not configured an IDP, using the fallback IDP. The current fallback IDP is based on Shibboleth, with users stored in the Cloud Foundry UAA database.

Problem: the current fallback IDP is solely maintained by the team, which means that it’s missing useful features and in need of updates.

Solution: use Cloud Foundry UAA with MFA as the fallback IDP, and deprecate Shibboleth.

Blockers: UAA MFA requires that all users in an identity zone use MFA, including service accounts used by CI. Because service accounts can’t use MFA, enabling UAA MFA today would essentially break service accounts. Based on, upcoming features in UAA, CAPI, and perm will allow assigning granular permissions to UAA clients, which don’t require MFA. Once these features are released, we can refactor to broker UAA users instead of UAA clients.


  • Wait for upstream to allow granular permissions for UAA clients
  • Enable UAA MFA
  • Migrate existing fallback accounts to UAA
  • Update UAA credentials broker to provision UAA clients instead of users
  • Drop custom database triggers from
  • Deprecate shibboleth
  • Document changes for users