For many use cases, the authentication requirements are increasing and Multi-Factor Authentication (MFA) is being required.
In SAML, the authentication method is expressed with the authentication context class reference (
AuthnContextClassRef ) - in both requests and responses.
To provide a vendor-agnostic (and technology-agnostic) value for expressing that MFA was used, suitable for R&E identity federations, REFEDS has developed the REFEDS MFA Profile: https://refeds.org/profile/mfa (this is both an identifier of the profile AND a documentation link).
This profile can be:
The following pages provide documentation for:
To test the overall experience, the following links initiate a login to the Tuakiri Attribute Validator with MFA requested and checked (and will thus fail with IdPs not supporting MFA):