The WSFed connection interface only allows for contract assignment for the protocol, not on a per-connection basis like SAML2. For connections that require different authentication contracts, such as 2FA versus risk-based versus Kerberos, this negates the ability to select different contracts based on need.

In our case, we have both default 2FA and Risk-based 2FA available, but not all our WSFed connections need that so the default is Kerberos/WSFed. This prevents us from supporting 2FA WSFed for requesting customers like Sharepoint.


  • Shouldn't this go to Access Manager instead?