Terminology and Typographical Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.Definition of terminology
Home Organisation: The SWAMID Member Organisation with which a Subject is affiliated, operating the Identity Provider by itself or through a third party.
Member Organisation: Used in this document as a synonym for Home Organisation
Subject: any natural person affiliated with a Home Organisation, e.g. as a teacher, researcher, staff or student.
Identity Provider (IdP): The system component that issues Attribute assertions on behalf of Subjects who use them to access the services of Relying Party.
Relying Party (RP): A Service that relies upon a Subject’s credentials, typically to process a transaction or grant access to information or a system. Also called a Service Provider (SP).
2. Purpose, Scope and Summary
This document defines how a SWAMID member organisation SHOULD implement a multi factor authentication solution in order to be certified by SWAMID for of multi factor authentication in a federated environment.
This multi factor profile is an extension to REFEDS MFA Profile (https://refeds.org/profile/mfa), applicable for Swedish Higher Education.
3. Syntax
The member organisation's Identity Provider is tagged in the SWAMID federation metadata with the assurance certification attribute: http://www.swamid.se/policy/authentication/refeds-mfa
In accordance with REFEDS MFA Profile:
In a SAML assertion, compliance is communicated by asserting the AuthnContextClassRef: https://refeds.org/profile/mfa
4. Compliance and Audit
The Member organisation MUST be certified for SWAMID Identity Assurance Level 2 Profile.
Only subjects currently at SWAMID Identity Assurance Level 2 are allowed to authenticate themselves according to this Profile.
The Member organisation SHOULD document valid parts regarding the Credential Operating Environment for the multi factor in the Identity Management Practice Statement and submit the Identity Management Practice Statement for approval by SWAMID Board of Trustees.
5. Criteria
The Member organisation MUST perform a successful validation of their Identity Provider in the official SWAMID Multi factor validation service
The validation service is located at https://mfa-check.swamid.se
Original criteria repeated from REFEDS MFA Profile for convenience
By asserting the URI shown above (note: https://refeds.org/profile/mfa), an Identity Provider claims that:
-----