Date: Fri, 29 Mar 2024 07:30:35 +0000 (UTC) Message-ID: <610697433.15.1711697435162@wiki-prod.refeds.org> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_14_1920555910.1711697435159" ------=_Part_14_1920555910.1711697435159 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
These e=
xamples demonstrate how REFEDS authentication profiles are presented in the=
SAML 2.0 and OpenID Connect protocol flows
REFEDS Multi-Factor Authentication (MFA) Profile (https://refeds.org/profile/mfa= )
= li>REFEDS Single-Factor Authentication (SFA) Profile (https://refeds.org/profile/sfa)
The XML namespa= ces used in the examples:
samlp=3D"urn:oasis:names:tc:SAML:2.0:protocol"
saml=3D"urn:oasis:names:tc:SAML:2.0:assertion
An SP requests = MFA (Comparison attribute present):
<samlp:RequestedAuthnContext Comparison=3D"exact">
&l= t;saml:AuthnContextClassRef>https://refeds.org/profile/mfa&= lt;/saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>= pre>An IdP responds= MFA:
<saml:AuthnContext>
<saml:AuthnContextClassRef>= https://refeds.org/profile/mfa</saml:AuthnContextClassRef&g= t;
</saml:AuthnContext>Alternatively, an IdP responds that it cannot satisfy the request:
<samlp:Status>
<samlp:StatusCode Value=3D"urn:oasis= :names:tc:SAML:2.0:status:NoAuthnContext=E2=80=9D/>
</samlp:Status= >Example 2: An SP prefers MFA but accepts SFA
This is NOT supported by the SAML standard. See the FAQ for alternatives.
OpenI= D Connectr acr claims
Example 1: An RP reque= sts MFA An RP issues a claims request, with =E2=80=9Cessential=E2=80=9D:true qua= lifier as defined in [OIDC Core, section 5.5]:
{
"id_token":
{
 = ; "acr": {"essential": true,
= "value": "https://refeds.org/profile/mfa"}}
}An OP responds with an ID token indicating MFA:
{
"iss": "https://serve= r.example.com",
"sub": "244003= 20",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
&nb= sp; "iat": 1311280970,
"auth_= time": 1311280969,
"acr": "https://refeds.org/profile/mfa"
}<= /pre>Alternatively, an OP responds to the client that it cannot satisfy the r= equest:
HTTP/1.1 302 Found
Location: https://client.example.org/cb?error=3Dinvalid_request&error_desc= ription=3DThe%20specified%20authentication%20context%20requirements%20canno= t%20be%20met%20by%20the%20responder.&state=3Daf0ifjsldkjN.B. Currently = there is no standard error code to signal OP=E2=80=99s inability to satisfy= the requested authentication context. A dedicated error code may be later = published by competent specification bodies.
Example 2: An RP prefers MFA but accepts SFA
An RP issues a = claims request with a list of authentication contexts in the order of prefe= rence and =E2=80=9Cessential=E2=80=9D:true qualifier as defined in [OIDC Core, section 5.5]:
{
"id_token":
{
 = ; "acr": {"essential": true,
= "values": ["https://refeds.org/profile/mfa",
&nb= sp; = "https://ref= eds.org/profile/sfa"]}}
}An OP responds = with an ID token indicating SFA:
{
"iss": "https://serve= r.example.com",
"sub": "244003= 20",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
&nb= sp; "iat": 1311280970,
"auth_= time": 1311280969,
"acr": "https://refeds.org/profile/sfa"
}<= /pre>Note: according= to the and OpenID Connect specification, an OP can present only one authen= tication context in the response.