Menu
▾
▴
Re: [Unity-idm-discuss] signalling mfa usage
|
From: Krzysztof B. <kb...@un...> - 2023-01-03 13:54:22
|
Hi Sander, W dniu 3.01.2023 o 07:39, Sander Apweiler pisze: > Dear Krzysztof, > first of all happy new year and all the best for 2023. > > After enabling two factor authentication on our services, we want to > signal the usage of it to the services. In SAML we want to use the > https://refeds.org/profile/mfa in AuthnContextClassRef. In OIDC we want > to use the acr claim. Is this possible within unity? I didn't find > anything in the manual about setting AuthnContextClassRef or acr. Unfortunately neither acr nor amr are not implemented in Unity as of now. Same for SAML. > The second thing we are thinking about is proxying the information from > the Upstream IdPs if there was 2FA used. I read that we can read the > AuthnContextClassRef in SAML input translation profile. Yes, it is exposed as an attribute in the context. > Is there also > an action which removes the old value, if this is not covered in the > next login anymore? Hm, I don't understand the question. In general I don't think it is possible to set AuthnContextClassRef in SAML response manually. It should be possible to set manually acr in output profile for OAuth AS, although with some some extra work (i.e. one would need to put that in output profile + add to some scope, like profile). Best, Krzysztof |
