...
The goal of the pilot was to get practical experience on REFEDS Assurance Framework (RAF) and Single-Factor Authentication (SFA) profile, including the content of the specifications and how they can be deployed using existing SAML products. See pilot charter for details on the pilot goal.
The pilot took place between February and May 2018 and reflected the RAF and SFA specifications that REFEDS exposed to the public consultation in May 2018.
IdPs and SPs in the pilot
...
IdP SP | Chicago | XSEDE | Aalto | CSC |
|---|---|---|---|---|
| ELIXIR | ePA/SFA/MFA | ePA/MFA | n/a | ePA/SFA/MFA |
| EGI Check-in | n/a | n/a | n/a | n/a |
| CILogon | ePA/SFA/MFA | ePA/MFA | n/a | ePA |
| SWITCHaai | ePA/SFA/MFA | ePA/MFA | n/a | ePA/SFA/MFA |
For the pilot, Aalto and EGI used test providers which were not exposed to eduGAIN and couldn't be tested with the others.
Findings on IdP products
The participating Shibboleth IdPs were successfully configured to handle the authentication context requests/responses and release eduPersonAssurance attribute to the SP. See configuration examples for details.
No SimpleSAMLphp installations participated directly as an IdP in the pilot but the ELIXIR SP was an a SimpleSAMLphp based IdP/SP proxy deployment that successfully acted also as an IdP for its downstream SPs.
No ADFS IdP installations participated in the pilot. Some parallel studying on ADFS as SAML IdP revealed that RAF support is straightforward (because it requires just supporting the custom eduPersonAffiliation attribute and values) but supporting REFEDS SFA, MFA or any other custom AuthenticationContextClassReference is cumbersome because by default ADFS supports only a pre-defined set of authentication contexts.
IdPs releasing the eduPersonAssurance attribute
...