The REFEDS MFA Profile: https://refeds.org/profile/mfa is the vendor-agnostic approach to signalling Multi-Factor Authentication in R&E identity federations like Tuakiri (and among such federations when connected to eduGAIN).
Service Providers signal the MFA requirement by including an AuthnContextClassRef with value of https://refeds.org/profile/mfa in the SSO requests.
When receiving such value, the IdP needs to enforce an MFA login flow (if not enabled by default), and upon successful MFA authentication, include the REFEDS MFA AuthnContextClassRef in the SAML response.
How this is done very much depends how how authentication is done on the IdP - and what MFA method the IdP has access to.
The REFEDS MFA profile asks that “two of the four distinct types of factors” (defined in ITU-T X.1254) are used and that “factors used are independent” (access to one factor does not by itself grant access to other factors).
Please read the Criteria in the REFEDS MFA profile at https://refeds.org/profile/mfa before proceeding to assert the REFEDS MFA by your IdP.
Further supporting material is also available at https://wiki.refeds.org/display/PRO/MFA+Profile+FAQ
Some IdPs are configured as a SAML proxy, using the SAML authentication flow (introduced in IdP 4.x) to pass the SSO request to an upstream IdP (acting as an SP towards the upstream IdP).
Typically (in deployments seen in Tuakiri), the upstream IdP is Microsoft AzureAD.
AzureAD supports conceptually same functionality (trigger MFA via AuthnContextClassRef, issue the AuthnContextClassRef when MFA is used) - but uses a vendor-specific value, https://schemas.microsoft.com/claims/multipleauthn .
Configuring REFEDS MFA on an IdP proxying to AzureAD simply means:
Based on contributed upstream documentation, the exact steps are:
/opt/shibboleth-idp/conf/authn/authn-comparison.xml and:
shibboleth.PrincipalProxyRequestMappings and shibboleth.PrincipalProxyResponseMappings .
/opt/shibboleth-idp/dist/conf/authn/authn-comparison.xml .Insert the following entry into the shibboleth.PrincipalProxyRequestMappings list:
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/mfa" />
</key>
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="http://schemas.microsoft.com/claims/multipleauthn" />
</list>
</entry>
Insert the following entry into the shibboleth.PrincipalProxyResponseMappings list:
<entry>
<key>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="http://schemas.microsoft.com/claims/multipleauthn" />
</key>
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/mfa" />
</list>
</entry>
Add the following setting into /opt/shibboleth-idp/conf/authn/authn.properties (adding REFEDS MFA to the default list of supported authentication methods):
idp.authn.SAML.supportedPrincipals = \
saml2/https://refeds.org/profile/mfa, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml1/urn:oasis:names:tc:SAML:1.0:am:password
If the IdP handles authentication locally (via the Password flow) and has an additional flow for MFA, supporting REFEDS MFA should be possible and would involve:
Please get in touch with tuakiri@reannz.co.nz to work out the specific details
Sorry, your IdP needs to support MFA first. But, if your user base is synchronised to AzureAD and MFA is already available there, one suitable solution might be to switch your IdP to proxy authentication to AzureAD - turning it into the first, easy case covered above.
Please get in touch with tuakiri@reannz.co.nz to get started.