Table of Contents
Many InCommon service providers (SPs) currently require the REFEDS Research and Scholarship profile for authentication. Increasingly many also require identity providers to enforce the use of multifactor authentication (MFA) for all populations accessing their services.
See https://refeds.org/profile/mfa for details.
Identity providers enforcing the use of MFA must signal to the Cirrus Bridge that MFA was enforced in order for the Bridge to send the appropriate REFEDS MFA context to the downstream SP.
This post provides guidance about how to set up REFEDS MFA, and validate the appropriate REFEDS MFA authncontext was asserted to an SP.
Guidance on REFEDS MFA Setup
Any SPs that require REFEDS MFA, or that the IdP organization wants to enforce MFA for access, should use a Cirrus Bridge application configuration with an MFA policy enabled. For example, if the Cirrus Bridge “Default” application configuration does not require MFA, but the “R&S” one does, MFA will only be asked for when going to an “R&S” SP.
The MFA policies can enforce MFA for all audience members or can be granular. If MFA is required by the SP, it is recommended that all audience members be forced to use MFA so that the IdP handles asking for an MFA assertion gracefully. If left to the SP, errors confusing to the end user may occur in some cases. How the policies are applied varies for Azure AD, Okta, or other commercial IdP providers. Cirrus Support (firstname.lastname@example.org) can provide some configuration guidance.
Azure AD with Azure MFA - REFEDS MFA Setup
For applications that require MFA, or that you want Cirrus to assert REFEDS MFA authncontext, you can configure an Azure AD Conditional Access policy to require Azure MFA. Cirrus will then assert the appropriate REFEDS MFA authncontext to the SP.1. Navigate to the application in Azure AD and select it. For this example, we will use the application, Cirrus Federation Bridge - CAS with MFA
2. Under Security in the left-hand column select Conditional Access
3. Select New Policy
4. Name your policy appropriately. Then, configure your new policy Assignments and Access Control to enforce MFA as shown in the example pics below. In our example, we named the Conditional Access policy “MFA for CAS.”
Users should be set to All users
Cloud apps or actions - Select apps and add the Cirrus Bridge application(s.) In this example, there is one application, Cirrus Federation Bridge - CAS with MFA.
Conditions - There should be 1 condition that includes 2 Client apps. See the picture below:
Client apps settings - example
Access Control - Grant
This is where you set MFA as required.
Grant - Select Grant access and ‘Require multifactor authentication’ as below.
Enable Policy and Save - At the bottom under Enable policy, select On and then Save.
Okta with Okta MFA - REFEDS MFA Setup
Okta can signal to the Cirrus Bridge that Okta MFA was used if you release the “session.amr” attribute to Cirrus. To do this, in Attribute Statements (pic below) add an attribute.
The Name of the attribute should be: session.amr
The Name format for session.amr should be: Unspecified
The Value should not be entered and left blank.
The attribute will be passed to the Cirrus Bridge as:
With this attribute released in Okta, Cirrus will correctly send the REFEDS MFA context to the downstream SP.
One common gotcha is Okta may be configured to only release session.amr as a single, comma-separated value.
Cirrus needs the attribute to be released as multi-valued. To change this setting, you will need to make a request to Okta support to enable SAML_SUPPORT_ARRAY_ATTRIBUTES.
Azure AD or Okta using Duo MFA (or other non-native MFA) - REFEDS MFA Setup
When Azure AD or Okta are configured to use a non-native MFA, the IdPs do not automatically send the signal that MFA is enabled and therefore, the Cirrus Bridge is unaware of any MFA status. Customers must manually configure attributes/claims to send the desired MFA signal to the Cirrus Bridge.
Cirrus added an operation attribute cirrus.rule.authnContext to allow customers to signal to the Cirrus Bridge the authncontext rules in operation. When cirrus.rule.authnContext attribute is released with the value “https://refeds.org/profile/mfa”, the Cirrus Bridge will assert the appropriate MFA attributes to downstream SPs.
Attribute/Claim to Release
Duo MFA is enforced for all users
Cirrus will assert REFEDS MFA to downstream SPs
Example of How to Validate a REFEDS MFA Assertion
Once you are set up in your IdP for REFEDS MFA, below is the steps to validate MFA was properly asserted. In the example, we are authenticating to our Athena Institute, the Cirrus test environment.
Note: The Athena Institute uses Azure AD for its IdP. However, the steps will be similar for Okta. Only the assertion data will look different. An Okta example is included below.
1. Navigate to a Cirrus testing endpoint URL. This is unique for your Cirrus Bridge implementation and will be provided to you by Cirrus.
a. Example: https://athena-bridge.proxy.cirrusidentity.com/demo.php
2. Authenticate. You should be prompted for MFA.
3. After successfully authenticating, you should see a screen for your institution similar to the one for the Athena Institute below. Click on the test authenticating with your Cirrus proxy link:
4. You should see results similar to the screenshot below. The important pieces of information are noted.
For Azure AD, the key attribute/claim is: http://schemas.microsoft.com/claims/authnmethodsreferences
You should see this in the left-hand column.
One of the claim values should be http://schemas.microsoft.com/claims/multipleauth
This indicates that MFA is enforced for all populations using the Cirrus bridge application.
For Okta the key attribute asserted, attribute session.amr, should have a value of mfa as in the picture below.
5. The Cirrus bridge transforms this claim to assert REFEDS mfa is true. This is required to be in compliance with NIH security requirements. To verify the AuthData the Cirrus bridge will assert, Click to view AuthData. You should see the assertion similar to the example below for Azure AD.
6. If so, you are configured correctly to signal MFA was enforced and is asserted. If not, please reach out to the Cirrus Team (email@example.com) and we can set up a meeting to troubleshoot.
REFEDS MFA 1.1 Requirements
REFEDS MFA requirements continue to evolve. Cirrus Identity is committed to supporting the REFEDS standards. We are evaluating potential changes to these MFA requirements – as we learn about them and will provide enhancements to meet our customers’ needs. As we move forward, we will both share those changes with Cirrus Identity customers, and update this document.