...
This multi factor profile is based on an extension to REFEDS MFA Profile (https://refeds.org/profile/mfa) but expanded in order to be completely , applicable for Swedish Higher Education. This profile also imposes additional criteria in order to clarify uncertainties in the REFEDS MFA Profile.
3. Syntax
The member organisation's Identity Provider is tagged in the SWAMID federation meta data stream metadata with the assurance marker: <Insert marker>
In accordance with REFEDS MFA Profile:
In a SAML assertion, compliance is communicated by asserting the AuthnContextClassRef:
httpscertification attribute: http://refeds.org/profile/www.swamid.se/policy/authentication/refeds-mfa
In accordance with this profile, SWAMID REFEDS MFA Profile:
In a SAML assertion, compliance is communicated by asserting the AuthnContextClassRef: https://swamidrefeds.seorg/profile/mfa
4. Compliance and Audit
The Member organisation MUST be certified for SWAMID Identity Assurance Level 2 Profile.
Only subjects currently at SWAMID Identity Assurance Level 2 are allowed to authenticate themselves according to this Profile.Guidance: The Identity Provider is not allowed to signal the above listed AuthnContextClassRefs for subjects not at SWAMID Identity Assurance Level 2.
The Member organisation SHOULD document valid parts regarding the credential operating environment Credential Operating Environment for the multi factor in the Identity Management Practice Statement and get submit the Identity Management Practice Statement approved for approval by SWAMID Board of Trustees.
- Implementation of multi factor technique technology SHOULD be documented in 5.1 Credential Operating Environment
Valid choices for multi factor technique technology in SWAMID is listed in the document ... - Processes for issuing and assigning of credentials (all valid factors) SHLULD be documented in 5.2 Credential Issuing (more precisely in 5.2.5)
Issuing of Credentials MUST still fulfil the criteria listed in SWAMID Assurance Level 2 Profile. - Processes for renewal of additional factors SHOULD be documented in 5.3 Credential Renewal and Re-issuing
Renewal and Re-issuing of Credentials MUST still fulfil the criteria listed in SWAMID Assurance Level 2 Profile. - Processes for revocation of additional factors SHOULD be documented in 5.4 Credential Revokation
Revocation of Credentials MUST still fulfil the criteria listed in SWAMID Assurance Level 2 Profile.
...