Date: Fri, 29 Mar 2024 11:20:17 +0000 (UTC) Message-ID: <575693642.39.1711711217809@wiki-prod.refeds.org> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_38_1933830083.1711711217808" ------=_Part_38_1933830083.1711711217808 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Credits to Toni Sormunen and P=C3=A5l Axelsson for this report.<= /p>
REFEDS Assurance Framework can be easily supported by just populating an= other custom attribute eduPersonAssurance.
REFEDS SFA and MFA cannot be supported by ADFS acting as a SAML IdP. In = SAML authentication requests ADFS recognizes only the following Authenticat= ionContextClassReferences:
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<= /pre>
urn:oasis:names:tc:SAML:2.0:ac:classes:TLSCLient
urn:oasis:names:tc:SAML:2.0:ac:classes:X509
urn:federation:authentication:windows
urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
Custom values cannot be added. If the request has some other authenticat= ion context, the following error is displayed:
MSIS7102: Requested Authentication Method is not supported on the STS.=
ADFS supports MFA which can be configured as mandatory for some users or= SPs but that does not rely on what is in the incoming authentication reque= sts.
In the Authentication responses, custom information on authentication ca= n be mounted on normal attributes but not on the authentication context. So= the following is possible (albeit conflicting with REFEDS MFA/SFA specific= ations):
<AuthnContext>
<AuthnContextClassRef>urn:oasis:n= ames:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClas= sRef>
</AuthnContext>
<Attribute Name=3D"http://sche= mas.microsoft.com/claims/authnmethodsreferences">
<Attr= ibuteValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTrans= port</AttributeValue>
<AttributeValue>https://refeds.org/profile/mfa</AttributeValue>
= <AttributeValue>= http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>= ;
</Attribute>