Trust and Internet Identity Meeting Europe
11-14 Feb 2019: Workshops and Unconference

2nd Factor in full-mesh federation

(Eimantas Šerpenskas)

Haka mesh step-up: https://wiki.eduuni.fi/display/CSCHAKA/Haka+MFA

Federation architectures: https://wiki.geant.org/display/eduGAIN/Federation+Architectures

Software, used in most IdPs: https://simplesamlphp.org/

Level of Assurance Authentication Context Profiles for SAML 2.0: https://www.oasis-open.org/commyittees/download.php/28706/sstc-saml-loa-authncontext-profile-draft-01.pdf

Way SP could ask for particular level of assurance(s):

urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:TimesyncToken

In home organization, it could be (and is) realized, creating SimpleSAMLphp module that checks for asked LoA and forces to authenticate on additional sources, f.e.: ‘ldap’ => array( … ), ‘facebook’ => array( … ), ‘googleauth’ => array( … ),

'multisourceauth' => array(
    'multifactorauth:MultiFactor',

    'contexts' => array(
        'http://litnet.lt/loa1' => array('facebook'),
        'http://litnet.lt/loa2' => array('ldap'),
        'http://litnet.lt/loa3' => array('ldap', 'googleauth')
    ),
    'defaultContext' => 'http://litnet.lt/loa1'
)

What way it could be done for whole federation, putting this functionality in some proxy or otherwise? Or I’ve got a proposal to change architecture to Hub and Spoke :)