Child pages
  • MFA/SFA with ADFS
Skip to end of metadata
Go to start of metadata

Credits to Toni Sormunen and Pål Axelsson for this report.

REFEDS Assurance Framework

REFEDS Assurance Framework can be easily supported by just populating another custom attribute eduPersonAssurance.

REFEDS MFA/SFA authentication contexts

REFEDS SFA and MFA cannot be supported by ADFS acting as a SAML IdP. In SAML authentication requests ADFS recognizes only the following AuthenticationContextClassReferences:

  • urn:oasis:names:tc:SAML:2.0:ac:classes:Password
  • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
  • urn:oasis:names:tc:SAML:2.0:ac:classes:TLSCLient
  • urn:oasis:names:tc:SAML:2.0:ac:classes:X509
  • urn:federation:authentication:windows
  • urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

Custom values cannot be added. If the request has some other authentication context, the following error is displayed:

MSIS7102: Requested Authentication Method is not supported on the STS.

ADFS supports MFA which can be configured as mandatory for some users or SPs but that does not rely on what is in the incoming authentication requests.

In the Authentication responses, custom information on authentication can be mounted on normal attributes but not on the authentication context. So the following is possible (albeit conflicting with REFEDS MFA/SFA specifications):

<AuthnContext>
  <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
  <AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue>
  <AttributeValue>https://refeds.org/profile/mfa</AttributeValue>
  <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
</Attribute>
  • No labels