Page tree
Skip to end of metadata
Go to start of metadata

Please read all documentation before proceeding. https://refeds.org/profile/mfa

If your SP accepts authentication assertions from other IdPs, you should be aware that REFEDS MFA may not be supported by all IdPs.

What is REFEDS MFA? 

REFEDS MFA is an Authentication Context that can allow SP to assure users did use MFA to authenticate to their application. 

Why use REFEDS MFA?

Some applications may have stricter security standard and must require that all users must authenticate using MFA.

STEP 1

Updating your SP to use REFEDS MFA.

Here are two example on configuring REFEDS MFA in your shibboleth2.xml.

Example 1 (default SSO element)
<SSO entityID="urn:mace:incommon:ucla.edu"
authnContextClassRef="https://refeds.org/profile/mfa">SAML2</SSO>
Example 2 (application override)
<Path name="myapp" authType="shibboleth" requireSession="true" applicationId="myapp" authnContextClassRef="https://refeds.org/profile/mfa"/>

STEP 2

Restart shibd and Test your application

Restart shibd process and verify shibboleth is running in your shibd.log  (/var/log/shibboleth or /opt/etc/shibboleth/var/log). Please test your application to ensure REFEDS MFA context is in the assertion.

Verify SAML assertion
    <samlp:RequestedAuthnContext>
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://refeds.org/profile/mfa</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>