(Eimantas Šerpenskas)
Haka mesh step-up: https://wiki.eduuni.fi/display/CSCHAKA/Haka+MFA
Federation architectures: https://wiki.geant.org/display/eduGAIN/Federation+Architectures
Software, used in most IdPs: https://simplesamlphp.org/
Level of Assurance Authentication Context Profiles for SAML 2.0: https://www.oasis-open.org/commyittees/download.php/28706/sstc-saml-loa-authncontext-profile-draft-01.pdf
Way SP could ask for particular level of assurance(s):
In home organization, it could be (and is) realized, creating SimpleSAMLphp module that checks for asked LoA and forces to authenticate on additional sources, f.e.: ‘ldap’ => array( … ), ‘facebook’ => array( … ), ‘googleauth’ => array( … ),
'multisourceauth' => array(
'multifactorauth:MultiFactor',
'contexts' => array(
'http://litnet.lt/loa1' => array('facebook'),
'http://litnet.lt/loa2' => array('ldap'),
'http://litnet.lt/loa3' => array('ldap', 'googleauth')
),
'defaultContext' => 'http://litnet.lt/loa1'
)
What way it could be done for whole federation, putting this functionality in some proxy or otherwise? Or I’ve got a proposal to change architecture to Hub and Spoke :)
