Versions Compared

Old Version 75

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 76

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The second factor or full multi-factor must be issued to the Subjects without using the current single factor credential, i.e. password, for identity proofing in accordance with the REFEDS MFA Profile criteria.

Not all Subjects within an Identity Provider need to have the same credential types, some of them can only use passwords, some Person-Proofed Multi-Factors and some Person-Proofed Multi-Factors with high identity assurance. It is however, important that the home organisation maintain a record of credential types a Subject can use and correctly inform services about the credential type used if requested.

Person-Proofed Multi-Factor (SWAMID P2MFA)

A multi-factor authenticator issued and proofed to a Subject fulfiling the requirements the SWAMID Identity Assurance Level 2 Profile

...

Processes for revocation of second factors or full multi-factors should be documented in the IMPS, section 5.4.


6. Syntax

Identity Provders iare marked in SAML metadata with the Assurance Certfication

The member organisation's Identity Provider is tagged in the SWAMID federation metadata with the assurance certification attribute: http://www.swamid.se/policy/authentication/refeds-mfa if <proofing without ID>swamid-p2mfa

The member organisation's Identity Provider is tagged in the SWAMID federation metadata with the assurance certification attribute: http://www.swamid.se/policy/authentication/high-assurance if <proofing with ID>swamid-p2mfa-hia

...vi måste även lägga till text om eduPersonAssurance för high assurance...

...

In accordance with REFEDS MFA Profile: 

  • In a SAML assertion, in compliance with this

...

  • SWAMID Person-Proofed Multi-Factor Profile, a multi-factor authentication is communicated by that the Identity Provider is asserting the AuthnContextClass https://refeds.org/profile/mfa.
  • In a SAML authentication request a Service Provider can request multi-factor authentication by adding AuthnContextClassRef https://refeds.org/profile/mfa to the authentication request.


7. References

[1] SWAMID Identity Assurance Level 2 Profile: http://www.swamid.se/policy/assurance/al2

...