Ctrl+K

Service-initiated MFA using SAML 2.0#

When using SAML 2.0 the service will need to send a saml:AuthnContextClassRef element as part of the authentication request:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     [...]>
  <saml:Issuer>https://sp.example.com/</saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true" />
  <samlp:RequestedAuthnContext>
    <saml:AuthnContextClassRef>urn:mace:feide.no:auth:level:fad08:3</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

If the service uses SimpleSAMLphp this can be done using the saml:AuthnContextClassRef parameter at the start of authentication like so:

$auth->login([
  'saml:AuthnContextClassRef' => 'urn:mace:feide.no:auth:level:fad08:3',
]);

After authentication the service should check the eduPersonAssurance attribute in the response to verify the authentication level. Note that when using SAML 2.0 the response will contain an error if the user has no way of using MFA.