Versions Compared

Old Version 19

changes.mady.by.user Thomas Lenggenhager

Saved on

compared with

New Version 20

changes.mady.by.user Alex Stuart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

comment #Line/Reference #Proposed Change or QueryProposer / AffiliationAction / Decision (please leave blank)
14.3 Validity LifetimeSetting a hard limit on 12 hours isn't logical. A IdP could use different vectors (location, device, behavior) to determine if mfa is needed, and prevent MFA-fatigue by only requesting MFA when needed. When specifying a time-limit, a period greater than 24 hours is more practical, to spread the login-times over the (working) day. Proposal: Allow a maximum window of 8 daysPeter Havekes / SURF
25.1.3.3 ForceAuthnThere are use cases where a user must always preform MFA authentication. Examples are
  • SP's that require MFA on each login by policy
  • Use MFA authentication for signing a transaction, like entering a grade list

ForceAuthn is very useful in these cases.

Proposal: If both ForceAuth and an AuthnContextClassRef element containing the REFEDS MFA Profile are specified, the IdP MAY force the user to use his first factor, and MUST force the user to use his second factor.

Peter Havekes / SURF
3Section 4.1, line 60-61Redaction is a bit ambiguous. My reading of it is that it disallows using two factors of the same kind (i.e. two passwords of different providers, thus disallowing solutions like alternative e-mail OTP), but would allow authentications with a single step that ensures the conditions of more than one type (i.e. certificate authentication with a smartcard, which both entails having the card and knowing the card PIN). Proposal: add a "Guidance" section further developing which interpretations of the section are right, which are not, and which are close to the grey zone. Maybe also include practical examples?Francisco Aragó / RedIRIS
4Section 5.1.3.4This section hints that if a SP requests refeds/mfa in the authnContextClassRef, and only this one (as recommended in section 5.1.3.1), if the IdP cannot satisfy conditions of section 4.1 in the authentication, it must return a failure state and never a successful response. Also, the profile does not specify how the SP should verify that the requirement has been met: by the presence of the refeds/mfa classref on the response or implicitly by the fact of the response being successful?. If it's the second case, it renders the signalling of the refeds/mfa ClassRef on the response mostly superfluous; if it's the first case, the fact of forcing an error response (instead of allowing a response without the refeds/mfa classref signal) rules out the possibility to implement a proxy use case where the principal has different factors enrolled on the IdP (refeds/mfa compliant, can be accessed independently other than from the proxy) and on the proxy, and can choose between providing the second factor at the IdP (in which case the response will already be refeds/mfa compliant) or at the proxy (in which case, the IdP would have to fail for not being able to satisfy refeds/mfa context, as the IdP is standalone refeds mfa compliant). Proposal: state clearly if this is the expected behaviour (and that the exposed proxy scenario should not be supported), or otherwise clarify that not satisfying conditions of section 4.1 is not a cause for response failure, but only to NOT signal the refeds/mfa authnContextClassRef on the successful response, leaving the SP to check that the response did not fulfill the conditions and allow it to act accordingly.Francisco Aragó / RedIRIS
5Introduction, lines 31-37

The issue here is not really about intra- vs. inter-organizational MFA signalling, but rather about deviation from this profile. I suggest rewording to something like "Deployments of this Profile must adhere strictly to its requirements and cannot override them with local policy requirements. Because this Profile cannot anticipate unique organisational authentication practices and nuances, it is strongly recommended not to use the value defined in this Profile to meet local MFA request/response needs."

David Walker / InCommon
6Not presentDue to that some commercial Identity Provider softwares, for example ADFS, is handling not known authentication context classes very bad or even breaks the log in flow with a software error it would be good to add an indication that this Identity Provider is techhnically capable of handling the REFEDS MFA authntication class signaling, or the other way around. An entiy support category sound wrong but it may be the best fit.Pål Axelsson / Sunet
74.1 Multiple Factors,
lines 59 - 63

The EU Revised Directive on Payment Services (PSD2) Strong Customer Authentication requirement has an elegant definition of MFA. Suggest we adopt that text:

PSD2 Article 4(30):

an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data

Ref: Wikipedia article on Strong Customer Authentication


Albert Wu / InCommon
85.1.3.3

The section shoul be normative.

In section 4.1 it is stated that when logging in the user must use a combination of at least two factors when authentication. This means that under section 5.1.3.3 it must be the full authentication even in the case of a forced authentication.

Suggestion for additional text: "If an authentication request requires a fresh authentication via the attribute ForceAuthn, an Identity Provider must perform a new authentication of the Subject as described in section 4.1."

That ForceAuthn is unspecified in SAML is irrelavant for the section.

Pål Axelsson / Sunet
95.2.2

In section 4.1 it is stated that when logging in the user must use a combination of at least two factors when authentication. This means that under section 5.2.2 it must be the full authentication.

Based on this time of authentication must be set to when the full authentication was done, not when of the factors was latest used.

Pål Axelsson / Sunet
10

IMO the refeds MFA profile should aim to provide a standard MFA policy that is practical to implement for the IdPs in our community. As noted in the introduction it is expected that an IdP that does MFA already has a local policy and that it will hinder adoption if the refeds MFA profile is too strict. The refeds MFA profile should therefore aim to set a resonable minimum and and limit requirements to what is absolutely required while on the other hand offering enough to be attractive and usable by SPs. Setting clear expectations to IdPs and SPs and non normative Implementation advice will be really useful in the adoption process. The proposal already does this quite well.

There are places where the profile IMO is more strict than necessary:
  • 4.3 Validity Lifetime – this precludes implementations that use a MFA session lifetime of more than 12h and balance that with other controls. This seems restrictive. Do we know what is typically used?
  • 4.2 Factor Independence –


114.3Asserting authN context https://refeds.org/profile/mfa should provide assurance from the IdP to SP that the principal has in fact authenticated with multiple factors within the current IdP SSO session. While many seek to minimize the impact of requiring MFA by allowing use of "remember me" for much longer lifetimes, that (1) inherently weakens assurance level, particularly but not exclusively with kiosks or other shared devices, (2) leads to inconsistent user experience as prior use of 'second' remembered factor will inevitably get "out of sync" with SSO session lifetimes, and (3) reducing forceAuthn to a request for new password/'first' factor only. Assurance, consistent user experience, and a robust forceAuthn function all point to disallowing 'remember me' to meet the refeds mfa profile altogether.David St Pierre Bantz / U Alaska
123. Profile Identifier

Keeping the profile identifier despite the „breaking change“ (a citation from the Editors' notes) with the 12 hour validity lifetime window is not logical. The „constraint to not modify the Profile identifier“ as mentioned in the Editors' notes needs to be waived due to this change that is not a simple clarification. Especially regarding lines 51-53 that refer to additional identifiers for future versions.
Introduce a new identifier already now for v1.1 because only that way an SP/RP will be able to know for sure that the IdP/OP supports v1.1 with its strict validity lifetime window and not v1.0 without one.

Thomas Lenggenhager / SWITCH
136. References, line 307-310Reference [ITU-X.1254] nowhere used in the draft v1.1.Thomas Lenggenhager / SWITCH
14Editors' notes, section „Version Numbering for this Update“The quote „we are still relatively early in this Profile’s adoption“ is not applicable for the SWITCHaai Federation. It has 35 SAML IdP, 75 SAML SPs,1 OIDC OP and 6 OIDC RPs that make use of v1.0 of this profile.Thomas Lenggenhager / SWITCH
15Editors' notes, section „Version Numbering for this Update“The Editors' notes states "we had a constraint to not modify the Profile identifier in this update". From where? The existing profile is already being used, and the updated profile introduces breaking changes. It is therefore the UK federation's opinion that the profile identifier should be modified for version 1.1.Alex Stuart/UK federation