> But you could just configure the 2FA for the downstream service, no?
Only if the downstream service supports it. Lots don't, or at least don't enforce it when you come in via SSO.
AWS SSO being the one I keep coming back to, because it bugs me so much.
For those that do, you now have to also manage the 2FA tokens with that service, using whatever they support. Often that's SMS based 2FA, or maybe TOTP, or their own custom TOTP/Push. Maybe they support FIDO2, but only a single FIDO2 key.
Yeah makes sense, thanks. I think I'm fine with a 2FA on GSuite login + CAA on subsequent SSOs but I do think it would be nice to be able to force another 2FA for sensitive stuff like AWS.
Unfortunately, GSuite seems to move very slowly :\
Only if the downstream service supports it. Lots don't, or at least don't enforce it when you come in via SSO.
AWS SSO being the one I keep coming back to, because it bugs me so much.
For those that do, you now have to also manage the 2FA tokens with that service, using whatever they support. Often that's SMS based 2FA, or maybe TOTP, or their own custom TOTP/Push. Maybe they support FIDO2, but only a single FIDO2 key.