InCommon Federation and MFA

[Don Sizemore]

Hello Dataverse community,

For those of you running Shibboleth with the InCommon Federation: has anyone successfully implemented MFA as a "preferred" requirement for federated IdPs while allowing fall-back authentication for IdPs which don't have MFA configured?

An authnContextClassRef="https://refeds.org/profile/mfa" requires MFA (fine) but if I make authnContextClassRef a list: "https://refeds.org/profile/mfa urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" as best I can tell I'm stating that either method is acceptable, and so I'm not prompted for MFA on sign-in.

We don't currently require MFA but we may have to at some point and I'd love to iron this out. Your suggestions or experiences would be most welcome.

Thank you,

Don

(Odum Institute)

[Don Sizemore]

Just to document this for search engines of the future:

The solution seems to be to add

<RelyingParty Name="urn:mace:incommon:unc.edu" authnContextClassRef="https://refeds.org/profile/mfa"/>

to shibboleth2.xml beneath the Sessions and Errors elements.

Thanks to Jim Myers for directing me to the RelyingParty element.

Don Sizemore

Odum Institute