...
Terminology and Typographical Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.
Text in Italics is non-normative. All other text is normative unless otherwise stated.
All normative parts of the profile is governed by the SWAMID Board of Trustees.
The non-normative (guidance) is maintained by the SWAMID operations team.Definition of terminology
Home Organisation: The SWAMID Member Organisation with which a Subject is affiliated, operating the Identity Provider by itself or through a third party.
Member Organisation: Used in this document as a synonym for Home Organisation
Subject: any natural person affiliated with a Home Organisation, e.g. as a teacher, researcher, staff or student.
Identity Provider (IdP): The system component that issues Attribute assertions on behalf of Subjects who use them to access the services of Relying Party.
Relying Party (RP): A Service that relies upon a Subject’s credentials, typically to process a transaction or grant access to information or a system. Also called a Service Provider (SP).
Second factor: A Single-Factor that is used in addition to a memorised secret, e.g. a password, to create a Multi-Factor login.
Full multi-factor: A Multi-Factor that in itself uses more than on authentication factor type, e.g. a smart card, to create a Multi-Factor login.
2. Purpose, Scope and Summary
...
- Choice of multi-factor technology MUST be documented in section 5.1 Credential Operating Environment. Selcted Multi-Factor
The selected second factor or full multi-factor solution MUST be based on the Single-Factor and Multi-Factor Authenticator Types within NIST 800-63B.
Guidance: SWAMID has published a set of valid choices for second factor and full multi-factor solutions in the document..SWAMID wiki. - Processes for issuing and assigning of credentials (second factor or full multi-factor) MUST be documented in 5.2 Credential Issuing (more precisely in 5.2.5).
Issuing of second factor or full multi-factor MUST be done using one of the following methodsOn-line multi-factor authenticating the Subject with SWAMID MFA Profile or higher level using an external Identity Provider compliant with SWAMID MFA Profile or higher
In-person visit at a service desk in combination with identity proofing as defined by the Swedish Tax Agency for issuance of the Swedish Tax Agency identity card
In-person visit at a service desk in combination with identity proofing with an international passport fulfilling ICAO Doc 9303, an EU/EES national identity card fulfilling the European Commission Regulation No 562/2006 or an EU/EES driving license fulfilling the European Parliament and the Council of European Union Directive 2006/126/EC
Guidance: The second factor or full multi-factor must be issued separately to to the user credentials in accordance with the REFEDS MFA Profile criteria. Multi-Factor solutions provided within the Swedish E-identification system fulfils the requirements and for on-line multi-factor authentication and can be used for online identity vetting if allowed by the E-identification issuer.
- Processes for replacement of additional factors or full multi-factor MUST be documented in 5.3 Credential Renewal and Re-issuing.
Replacement of second factor or full multi-factor MUST be done using the same methods as listed above for Credential Issuing. - Processes for revocation of second factor or full multi-factor MUST be documented in 5.4 Credential Revokation
...