Menu
▾
▴
Re: [Unity-idm-discuss] signalling mfa usage
|
From: Sander A. <sa....@fz...> - 2023-01-03 14:15:18
|
Hi Krzysztof, On Tue, 2023-01-03 at 14:54 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 3.01.2023 o 07:39, Sander Apweiler pisze: > > Dear Krzysztof, > > first of all happy new year and all the best for 2023. > > > > After enabling two factor authentication on our services, we want > > to > > signal the usage of it to the services. In SAML we want to use the > > https://refeds.org/profile/mfa in AuthnContextClassRef. In OIDC we > > want > > to use the acr claim. Is this possible within unity? I didn't find > > anything in the manual about setting AuthnContextClassRef or acr. > > Unfortunately neither acr nor amr are not implemented in Unity as of > now. Same for SAML. > > > The second thing we are thinking about is proxying the information > > from > > the Upstream IdPs if there was 2FA used. I read that we can read > > the > > AuthnContextClassRef in SAML input translation profile. > > Yes, it is exposed as an attribute in the context. > > > > Is there also > > an action which removes the old value, if this is not covered in > > the > > next login anymore? > > Hm, I don't understand the question. In general I don't think it is > possible to set AuthnContextClassRef in SAML response manually. It > should be possible to set manually acr in output profile for OAuth > AS, > although with some some extra work (i.e. one would need to put that > in > output profile + add to some scope, like profile). Let me try to explain it. When I store the value of the AuthnContextClassRef from remote IdP on an attribute and it signals that 2FA was used but the next login the AuthnContextClassRef is not released by the IdP anymore, I can not use the old value anymore and must assume that no 2FA was performed. Of course I can create some complex MVEL expression, but maybe there is an easier was to drop the old information if the AuthnContextClassRef is not send by the remote IdP anymore. Best regards, Sander > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
