Versions Compared

Old Version 82

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 83

changes.mady.by.user Eskil Swahn

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A multi-factor authenticator issued and proofed to a Subject fulfiling the requirements the SWAMID Identity Assurance Level 2 Profile with additional identity proofing requirements for on-line proofing.

Person-Proofed Multi-Factor with high identity assurance (SWAMID P2MFA-HIA)

...

If a member organisation's Identity Provider is approved for Person-Proofed Multi-Factor it  the Identity Provider is tagged in the SWAMID metadata with the assurance certification attribute http://www.swamid.se/policy/authentication/swamid-p2mfa

If a member organisation's Identity Provider in addition is approved for Person-Proofed Multi-Factor with high identity assurance it  the Identity Provider is also tagged in the SWAMID metadata with the assurance certification attribute http://www.swamid.se/policy/authentication/swamid-p2mfa-hia (and http://www.swamid.se/policy/authentication/swamid-p2mfa).


In accordance with REFEDS MFA Profile: 

  • In a SAML assertion, in compliance with this Person-Proofed Multi-Factor Profile or Person-Proofed Multi-Factor with high identity assurance, a performed multi-factor authentication is communicated by that the Identity Provider is asserting the AuthnContextClass https://refeds.org/profile/mfa.
  • In a SAML authentication request a Relying Party can request multi-factor authentication by adding AuthnContextClassRef https://refeds.org/profile/mfa to the authentication request.

When a Subject performs a multi-factor authentication based on the Person-Proofed Multi-Factor with high identity assurance the Identity Provider MUST add the value http://www.swamid.se/policy/authentication/swamid-p2mfa-hia to the attribute eduPersonAssurance . This is the only way a Relying Party can make a difference of the Subject in order for the Relaying Party to be able to distinguish between the two different identity proofing levels of multi-factor identity assurance within this profileauthentication.


Guidance

The eduPersonAssurance value for Person-Proofed Multi-Factor with high identity assurance should only be released if  a multi-factor authentication occurred.

...