1. Terminology and Typographical Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.
   Text in Italics is non-normative. All other text is normative unless otherwise stated.
   All normative parts of the profile is governed by the SWAMID Board of Trustees.
   The non-normative (guidance) is maintained by the SWAMID operations team. 

   1. Definition of terminology

      Home Organisation: The SWAMID Member Organisation with which a Subject is affiliated, operating the Identity Provider by itself or through a third party.

      Member Organisation: Used in this document as a synonym for Home Organisation

      Subject: any natural person affiliated with a Home Organisation, e.g. as a teacher, researcher, staff or student.

      Identity Provider (IdP): The system component that issues Attribute assertions on behalf of Subjects who use them to access the services of Relying Party.

      Relying Party (RP): A Service that relies upon a Subject’s credentials, typically to process a transaction or grant access to information or a system. Also called a Service Provider (SP). 

2. Purpose, Scope and Summary 

This document defines how a SWAMID member organisation SHOULD implement a multi factor authentication solution in order to be certified by SWAMID for of multi factor authentication in a federated environment.

This multi factor profile is based on REFEDS MFA Profile (https://refeds.org/profile/mfa) but expanded in order to be completely applicable for Swedish Higher Education. This profile also imposes additional criteria in order to clarify uncertainties in the REFEDS MFA Profile.

3. Syntax

The member organisation's Identity Provider is tagged in the SWAMID federation meta data stream with the assurance marker: <Insert marker>

In accordance with REFEDS MFA Profile: 

In a SAML assertion, compliance is communicated by asserting the AuthnContextClassRef:

https://refeds.org/profile/mfa

In accordance with this profile, SWAMID MFA Profile

In a SAML assertion, compliance is communicated by asserting the AuthnContextClassRef:

https://swamid.se/profile/mfa

4. Compliance and Audit

The Member organisation MUST be certified for SWAMID Identity Assurance Level 2 Profile.

Only subjects currently at SWAMID Identity Assurance Level 2 are allowed to authenticate themselves according to this Profile.

Guidance: The Identity Provider is not allowed to signal the above listed AuthnContextClassRefs for subjects not at SWAMID Identity Assurance Level 2.

The Member organisation SHOULD document valid parts regarding the credential operating environment in the Identity Management Practice Statement and get the Identity Management Practice Statement approved by SWAMID Board of Trustees.

•  Implementation of multi factor technique SHOULD be documented in 5.1 Credential Operating Environment
  Valid choices for multi factor technique in SWAMID is listed in the document ...
• Processes for issuing and assigning of credentials (all valid factors) SHLULD be documented in 5.2 Credential Issuing (more precisely in 5.2.5)
  Issuing of Credentials MUST still fulfil the criteria listed in SWAMID Assurance Level 2 Profile. 
• Processes for renewal of additional factors SHOULD be documented in 5.3 Credential Renewal and Re-issuing
  Renewal and Re-issuing of Credentials MUST still fulfil the criteria listed in SWAMID Assurance Level 2 Profile.
• Processes for revocation of additional factors SHOULD be documented in 5.4 Credential Revokation
  Revocation of Credentials MUST still fulfil the criteria listed in SWAMID Assurance Level 2 Profile.

All processes documented regarding 

5. Criteria

The Member organisation MUST perform a successful validation of their Identity Provider in the official SWAMID Multi factor validation service

The validation service is located at https://mfa-check.swamid.se

Original criteria repeated  from REFEDS MFA Profile for convenience 

By asserting the URI shown above (note: https://refeds.org/profile/mfa), an Identity Provider claims that:

• The authentication of the user’s current session used a combination of at least two of the four distinct types of factors defined in ITU-T X.1254: Entity authentication assurance framework, section 3.1.3, authentication factor (something you know, something you have, something you are, something you do) [4].
• The factors used are independent, in that access to one factor does not by itself grant access to other factors.
• The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor.

-----

• Medlemsorganisationen ska vara godkänd för SWAMID AL2
• Medlemsorganisationen ska dokumentera utdelningen av samtliga faktorer i IMPS
  • Val av multifaktorteknik dokumenteras under 5.1 Credential Operating Environment
    • Uppfyller REFEDS MFA + SWAMIDs utökade regler
  • Utdelningsrutiner under 5.2 Credential Issuing (närmare bestämt 5.2.5)
  • Utbyte av andra faktor dokumenteras under 5.3 Credential Renewal and Reissuing
  • Spärrande av andra faktor dokumenteras under 5.4 Credential Revokation
• Medlemsorganisationen ska genomföra framgångsrikt validering av IdP mot SWAMIDs valideringstjänst.
• Medlemsorganisationen ska kontakta SWAMID Operations för tillitsmarkering i metadata.