====== REFEDS AuthN Profiles - Hinweise für Identity Provider ======
([[de:aai:assurance|Identity Assurance Home]])
  
\\
  
Allgemeine Infos:
  * Präsentation [[https://download.aai.dfn.de/ws/2022/refeds_assurance_suite.pdf|REFEDS Assurance Suite]] - [[de:aai:events:ws2022|AAI Workshop Februar 2022]] 

===== Single Factor Authentication Profile =====
  * Spezifikation: https://refeds.org/profile/sfa
  * FAQ im REFEDS Wiki: https://wiki.refeds.org/display/PRO/SFA+Profile+FAQ
  
===== Multi-Factor Authentication Profile =====
  * Spezifikation: https://refeds.org/profile/mfa 
  * Ausführliche FAQ mit Beispielen für SP- und IdP-Betreiber: https://wiki.refeds.org/display/PRO/MFA+Profile+FAQ 
  * Shibboleth Wiki: [[https://shibboleth.atlassian.net/l/c/kWP1CpD1|Supporting the REFEDS MFA Profile]]

==== MFA Implementierung mithilfe des fudiscr IdP Plugins und privacyIDEA ====

  * Workshopmaterialien: [[de:aai:events:ws2022|Shibboleth Workshops Februar 2022]]
  * Installationsanleitung privacyIDEA: https://gitlab.daasi.de/training/privacyidea
  * Zu Installation und Konfiguration des IdP-MFA-Plugins siehe unter [[de:shibidp:plugin-fudiscr|Shibboleth IdP-Plugin fudiscr]]

Falls die MFA-Prozesse und -Policies den Anforderungen des REFEDS Multi-Factor Authentication Profiles genügen:
  * The authentication of the user’s current session used a combination of at least two of the four distinct types of factors defined in ITU-T X.1254: Entity authentication assurance framework, section 3.1.3, authentication factor (something you know, something you have, something you are, something you do).
  * The factors used are independent, in that access to one factor does not by itself grant access to other factors.
  * The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor.
kann in ''./conf/authn/authn.properties'' der entsprechende Principal ergänzt werden:
<file properties ./conf/authn/authn.properties>
idp.authn.flows = MFA

idp.authn.fudiscr.supportedPrincipals= \
saml2/urn:de:zedat:fudis:SAML:2.0:ac:classes:CR, \
saml2/https://refeds.org/profile/mfa

idp.authn.MFA.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml1/urn:oasis:names:tc:SAML:1.0:am:password, \
saml2/urn:de:zedat:fudis:SAML:2.0:ac:classes:CR, \
saml2/https://refeds.org/profile/mfa
</file>