REFEDS AuthN Profiles - Hinweise für Identity Provider

(Identity Assurance Home)


Allgemeine Infos:

Single Factor Authentication Profile

Multi-Factor Authentication Profile

MFA Implementierung mithilfe des fudiscr IdP Plugins und privacyIDEA

Falls die MFA-Prozesse und -Policies den Anforderungen des REFEDS Multi-Factor Authentication Profiles genügen:

  • The authentication of the user’s current session used a combination of at least two of the four distinct types of factors defined in ITU-T X.1254: Entity authentication assurance framework, section 3.1.3, authentication factor (something you know, something you have, something you are, something you do).
  • The factors used are independent, in that access to one factor does not by itself grant access to other factors.
  • The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor.

kann in ./conf/authn/authn.properties der entsprechende Principal ergänzt werden:

./conf/authn/authn.properties
idp.authn.flows = MFA
 
idp.authn.fudiscr.supportedPrincipals= \
saml2/urn:de:zedat:fudis:SAML:2.0:ac:classes:CR, \
saml2/https://refeds.org/profile/mfa
 
idp.authn.MFA.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml1/urn:oasis:names:tc:SAML:1.0:am:password, \
saml2/urn:de:zedat:fudis:SAML:2.0:ac:classes:CR, \
saml2/https://refeds.org/profile/mfa
  • Zuletzt geändert: vor 2 Jahren