...
REFEDS (The Research and Education FEDerations group) defines a Multi-Factor Authentication profile which provides a set of recommendations, best practices and their explanations for facilitating unambiguous communication between the SP (Service provider) and IdP (Identity provider) when MFA is required by the SP.
In the context of this document, we are mainly concerned with the SP. Service provider is an application providing access to some services or resourcs which need to be protected using MFA. Indentity provider, on the other hand, is a component able to perform the MFA and return a claim containing the result of the authentication.
ProxyIdP acts as an IdP in this exchange. The SP triggers MFA using REFEDS MFA profile and checks whether it was performed successfully based on the claims returned by the IdP in the
The profile specifies details about what is considered to be a sufficient MFA on the side of the IdP, how shoud the SP initiate the request for MFA with IdP, what should be the content and order of the communication messages and what are the possible paths in this authentication process. Part of the profile is the definition of a SAML authentiaciton authentication context for communication between the SP and IdP.
Further information about the individul individual steps of the process including the massages messages used to request the IdP to perform MFA, possible return values based on the authentication result as well as configuration regarding MFA enforcement can be found in the SP portion of FAQ. Specific information on how to set up MFA enforcement on ProxyIdP using REFEDS MFA profile is provided in the just-in-time provisioning section.
General information about the MFA profile can be found here on the REFEDS website and more detailed description of the concept can be found in the MFA profile FAQ section here.