...
REFEDS Multi-Factor Authentication (MFA) Profile (https://refeds.org/profile/mfa)
REFEDS Single-Factor Authentication (SFA) Profile (https://refeds.org/profile/sfa)
SAML authentication contexts
The XML namespaces used in the examples:
samlp="urn:oasis:names:tc:SAML:2.0:protocol"
saml="urn:oasis:names:tc:SAML:2.0:assertion"
Example 1: An SP requests MFA
An SP requests MFA (Comparison attribute present):
...
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext”/>
</samlp:Status>
Example 2: An SP prefers MFA but accepts SFA
An SP presents a list of authentication contexts in the order of preference (Comparison attribute omitted, applying the default value “exact”):
...
Note: according to the SAML 2.0 specification, an Identity Provider can present only one authentication context in the response.
OpenID Connectr acr claims
Example 1: An RP requests MFA
An RP issues a claims request, with “essential”:true qualifier as defined in [OIDC Core, section 5.5]:
...
N.B. Currently there is no standard error code to signal OP’s inability to satisfy the requested authentication context. A dedicated error code may be later published by competent specification bodies.
Example 2: An RP prefers MFA but accepts SFA
An RP issues a claims request with a list of authentication contexts in the order of preference and “essential”:true qualifier as defined in [OIDC Core, section 5.5]:
...