REFEDS AuthN Profiles - Hinweise für Identity Provider

(Identity Assurance Home)

Allgemeine Infos:

Präsentation REFEDS Assurance Suite - AAI Workshop Februar 2022

Single Factor Authentication Profile

Spezifikation: https://refeds.org/profile/sfa
FAQ im REFEDS Wiki: https://wiki.refeds.org/display/PRO/SFA+Profile+FAQ

Multi-Factor Authentication Profile

Spezifikation: https://refeds.org/profile/mfa
Ausführliche FAQ mit Beispielen für SP- und IdP-Betreiber: https://wiki.refeds.org/display/PRO/MFA+Profile+FAQ
Shibboleth Wiki: Supporting the REFEDS MFA Profile

MFA Implementierung mithilfe des fudiscr IdP Plugins und privacyIDEA

Workshopmaterialien: Shibboleth Workshops Februar 2022
Installationsanleitung privacyIDEA: https://gitlab.daasi.de/training/privacyidea
Zu Installation und Konfiguration des IdP-MFA-Plugins siehe unter Shibboleth IdP-Plugin fudiscr

Falls die MFA-Prozesse und -Policies den Anforderungen des REFEDS Multi-Factor Authentication Profiles genügen:

The authentication of the user’s current session used a combination of at least two of the four distinct types of factors defined in ITU-T X.1254: Entity authentication assurance framework, section 3.1.3, authentication factor (something you know, something you have, something you are, something you do).
The factors used are independent, in that access to one factor does not by itself grant access to other factors.
The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor.

kann in ./conf/authn/authn.properties der entsprechende Principal ergänzt werden:

./conf/authn/authn.properties

idp.authn.flows = MFA
 
idp.authn.fudiscr.supportedPrincipals= \
saml2/urn:de:zedat:fudis:SAML:2.0:ac:classes:CR, \
saml2/https://refeds.org/profile/mfa
 
idp.authn.MFA.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml1/urn:oasis:names:tc:SAML:1.0:am:password, \
saml2/urn:de:zedat:fudis:SAML:2.0:ac:classes:CR, \
saml2/https://refeds.org/profile/mfa