Yes you can do this. Read the wiki document that covers MFA configuration.
In particular, look at the example script entitled “Conditional use of two factors, Flow1 and Flow2.”
You say you already know how to resolve the attributes, and the example script also demonstrates attribute resolution.
The example does not show how to obtain the SP entityID (which you also need) but that is pretty easy:
rpCtx = input.getSubcontext(“net.shibboleth.idp.profile.context.RelyingPartyContext”);
rpid = rpCtx.getRelyingPartyId(); // rpid is type String containing SP entityID
Now you can script whatever logical test you want based on attribute values and the entityID.
Stephen C. Losen
ITS - Systems and Storage
University of Virginia
[hidden email] 434-924-0640
From: users [mailto:[hidden email]]
On Behalf Of Lionel Samuel
Sent: Friday, June 29, 2018 11:48 PM
To: Shib Users <[hidden email]>
Subject: DUO MFA Trigger on Attributes
Is it possible for DUO MFA to trigger on differing attribute values based on the SP being accessed?
Trigger MFA on user if has 'memberOf' attribute 'ou=employee'
Trigger MFA on user if has 'memberOf' attribute 'ou=IT-faculty'
If above is possible, are there any examples that can be shared?
I know how to trigger if common attribute value as the trigger, based on the example shipped, but not if differing values per SP as the trigger.