Who can see your viewing activity?
Stephen Burr, Executive Director of Enterprise Systems, University of Kentucky: I’m interested the scope of the MFA requirement, but not specifically through ADFS. We’ve implemented via Gluu, but we use ADFS for lots of other things. Specifically, is the requirement to implement MFA for all federated applications, or just for NIH?
Here’s the REFEDs MFA Profile: https://refeds.org/profile/mfa
And is the assertion sent with the user attributes? Or is it some kind of global assertion?
The signaling in SAML relies on the RequestedAuthnContext and AuthnContext/AuthnContextClassRef elements in requests and assertions, not Attributes.
The signaling Tom is referring to is communicating the defined class ref URI in the asserions and handling requests for it.
Right now Stephen, the MFA Profile will be required for federated access to NIH. That said, there are quite a number of research service providers that are interested in it as well.
The vast majority of non-open source IdPs cannot act compliantly in either way.
ADFS Toolkit: http://adfstoolkit.org/content/
The REFEDS link points to an article explaining the issues
firstname.lastname@example.org Cirrus Support
Identity provider as a service working group report: https://incommon.org/news/final-report-on-identity-provider-as-a-service-open-for-consultation/
We have ADFS in our infrastructure at the UW (for other reasons) and our ADFS admin was able to write a custom claim rule to set authnContextClassRef in the authn requests it makes to our Shibboleth IdP. I don't know if the same approach can be used to inject the right authnContextClassRef in authn responses it sends to SPs.
For those interested -- I can field further questions. Just email email@example.com . URL for product is https://www.cirrusidentity.com/products/bridge
@michael brogan - I'm interested in that custom claim firstname.lastname@example.org
Mary Ann Blair
is the compliance check toolsufficient for verifying readiness?
I can probably dig up that rule from our ADFS admins. Email me at email@example.com.
Related to ADFS custom claims rules for MFA: https://social.msdn.microsoft.com/Forums/vstudio/en-US/212b778f-d050-4d1a-b1e9-b204d8e7634b/adfs-20-is-there-a-way-to-configure-the-authncontextclassref-that-is-generated-in-the-saml?forum=Geneva
Is there anyone here looking at this from a CAS IdP standpoint?
Assured Access Working Group: https://internet2.zoom.us/j/96615320068
Here's the AAWG link: https://spaces.at.internet2.edu/display/aawg/
Oh Dang…Thanks Tom.
REFEDS Assurance Framework can be found here: https://refeds.org/assurance
And here is the NIST 800-63 Identity Assurance Guideline: https://pages.nist.gov/800-63-3/sp800-63a.html
Section 4.7 of 800-63A summarizes the IAL requirements
Local Enterprise - See definition in Appendix A of the REFEDS Assurance Framework above.
Is this Compliance Check link working : https://auth.nih.gov/CertAuthV3/forms/eRAcompliancecheck.aspx
It aligns nicely to Baseline Expectations already in place for the InCommon community.
I got a "500 Internal sever error", am I broken or are they?
Worked for me.
I am getting a 500 as well
this is my 500 errServer Error 500 - Internal server error. There is a problem with the resource you are looking for, and it cannot be displayed. :names:tc:SAML:2.0:status:Responder Sub-Status: urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext
That's your IdP refusing to handle their request for MFA via that context class.
(I doubt they mean for it to trigger a 500, but that's your IdP not supporting REFEDS MFA profile.)
I briefly see my IdP's splash page before getting a 500 error. I am never asked to authenticate but I get the same error
I get a 500 with "Exception: No identity provider was selected by user." after I pick the UW IdP off the list. Our IdP does support REFEDS MFA and the R&S attribute bundle.
You don't get a page because your IdP immediately knows that it doesn't understand the value being requested.
@Scott is that a reply to Michael B’s comment?
Michael's sounds to me like a browser glitch.
ADFS with Duo support the remember me feature, ADFS can bypass 2FA if user is already authenticated to one of the apps.
Have to drop off
We do not support REFEDS Research & Scholarship. Do we need to have MFA on our Shib sso?
Elena of Boston College has a question
Different REFEDS value, I think?
Missing the MFA assertion?
"https://refeds.org/profile/mfa" is the AuthnContext class that's being used
Nothing to do with the assurance discussion, because MFA is orthogonal to identity assurance.
@Scott, is there a Shib min version requirement for this, or should config work on any supported IdP?
For configuring the REFES MFA AuthContext, that is?
Here are some examples for configurations: https://wiki.refeds.org/pages/viewpage.action?pageId=50626893
There's no practical/usable way to do MFA sanely prior to 3.3 though.
Should we pester the CAS-user list to get an example on here, Ann?
Please feel free to reach out to NIH at NIHLoginInternal <NIHLogin.Internal@mail.nih.gov> for any questions/issues regarding the compliance page testing process.
Elena Ryazanova Boston College Middleware SystemsWe have Shib IdP integrated with NetIQ Access Manager via idp.authn.flows=RemoteUserAuthentication step is performed by NAM we cannot identify which SP requested SAML session on Shib IdP side and whether DUO has been requested.DUO SAML server by NAM, InCOmmon ShibCould anyone with a similar setup where authorization step happens outside of Shib share their configuration details?
is there any way to make it easier for the “birds of a feather” on this call with similar infrastructure to find each other to solve or commiserate as necessary?
My 500 error "no identity provider selected" has gone away, replaced with a green compliance checkmark.
I've got to drop at 5.
@Hiroki You can subscribe to the Assured Access Working Group email list: https://spaces.at.internet2.edu/display/aawg
Thank you all for your help with this change.
We will also be putting more information in our newsletter and in email as it becomes available.
This is good information, thank you all. I have to run to another meeting.
Thanks all for joining!
Mary Ann Blair
sorry. Jeff do you know when our users will be receiving the notice to check whether we are ready?
Mary Ann Blair
Mary Ann Blair