Skip to Content.
Sympa Menu

mfa-interop - RE: [MFA-Interop] FW: [refeds] Consultation: REFEDS MFA Profile

Subject: MFA Interop Working Group

List archive

RE: [MFA-Interop] FW: [refeds] Consultation: REFEDS MFA Profile


Chronological Thread 
  • From: Eric Goodman <>
  • To: Eric Goodman <>, "" <>
  • Subject: RE: [MFA-Interop] FW: [refeds] Consultation: REFEDS MFA Profile
  • Date: Thu, 2 Mar 2017 00:08:02 +0000
  • Accept-language: en-US
  • Authentication-results: ucop.edu; dkim=none (message not signed) header.d=none;ucop.edu; dmarc=none action=none header.from=ucop.edu;
  • Ironport-phdr: 9a23:WGO7BBIurmBag/Vl+NmcpTZWNBhigK39O0sv0rFitYgeI/XxwZ3uMQTl6Ol3ixeRBMOAuq8C0LOd6fqocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbQhFgDqwbal8IRmrogndqNcaipZ+J6gszRfEvmFGcPlMy2NyIlKTkRf85sOu85Nm7i9dpfEv+dNeXKvjZ6g3QqBWAzogM2Au+c3krgLDQheV5nsdSWoZjBxFCBXY4R7gX5fxtiz6tvdh2CSfIMb7Q6w4VSik4qx2ThLjlSUJOCMj8GzPisJ+kr9VoA6vqRJ8zY7bYoCVO+ZxcKzSZt4aWXFOUtpNWyBdHo+xbY0CBPcBM+ZCqIn9okMDoxSkBQmtGOzk1z5Ghnjx3aIn1uQuCwfG1xEnEtwBqnTUrcn6OL0TX+Cyy6nH0DDDYOlQ2Trm9YjHbhchoemWUb1ubMXR1FAiGgXYhVuTsYzoJy6Z2vgCvmSB4OdtV/ijhmAlpg1roTWj2N8ghpTXio8W0FzJ+iZ0zJw6KNC3UkJ3fNGpHZhWuiqHLYV5WNkiTHttuCsiyr0Jp5q7fC8SxZo/2xPRbOCLf5aR7h/9VumdPC50hHV+d72hnRqy9lWgyvHnWcmzzVZKqDdKnsPUtnAX0BzT9taIRedh/keg3jaP0Rrf6uZZIUAokarbLJkhwr0qmpUPtkTDGzf6mETwjKCIakUp4vWk5/job7n8qZKRNZV4hw/8P6g0mcGzH/w0Mg0UUGia/eS82qfj/Ur8QLhSgfM2iKjZv4zAKcoaoa65BBJa0oM55Ba5FDqmzcgXnX4fLF5fZh2IkpXpN0nUIP/kFfe/n0iskDBzyvDHOL3uHpLNLn3GkLfme7Zx8UlcyBA8zdxG4pJUBKsOLOvyWk/3qNzXEAU5Mwusw+v8DNV915geWX6UAqOHKq/SsFmI5v4xLOmWYo8apir9J+Y/6/HwkHA5hAxVQa788IEWYziXGfNqJkyfKS7BmNYKV0gNuQY7RerClVaFSXhea2vkG+p24z8yTYOgEYrZQZiFgbqK2yK+GZsQYXpJQBjYFHnhMoSCR/oWbzq6I8lqlTkBUr7nTJUug0KArgj/npd9L+Gc1SofuZfq0pAhyvfSnlcd8jt4Cs2b+3yGSHkyk28VEWxllJtjqFBwnw/QmZNzhOZVQIRe
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99
Sorry, that should say "Framework-related assertions sent".

The Assurance Framework is very VoT-like, so has eduPersonAssurance values to
indicate eppn reassignment, level of identity proofing and authentication
process (MFA) used. Only one of those categories maps to AuthnContext, so
it's kind of an outlier here.

--- Eric

-----Original Message-----
From:


[mailto:]
On Behalf Of Eric Goodman
Sent: Wednesday, March 01, 2017 3:58 PM
To:

Subject: RE: [MFA-Interop] FW: [refeds] Consultation: REFEDS MFA Profile

>> With their attribute based model, they allowed an SP to say "I
>> require minimum good-entropy" (lower level than MFA) and for the IdP to
>> respond with "I did MFA".

>How would they expect the SP to say that?

Hmmm. Looks like the SP doesn't literally request, but indicates they want
profile information sent. Conforming IdPs just populate the
eduPersonAssurance values appropriate to what was done, and the SP examines
and makes decisions based on the assertion.

The current draft doesn't have the old language around MFA vs. other levels
of authentication, so I don't know or remember how/if it signaled the need
for MFA "on the wire" vs. expecting the SP to display "hey dummy, log in
again but use MFA this time" in a message to the end user.

--- Eric





Archive powered by MHonArc 2.6.19.

Top of Page