Table of Contents
Azure AD with Azure MFA - REFEDS MFA Setup
Okta with Okta MFA - REFEDS MFA Setup
Azure AD or Okta using Duo MFA (or other non-native MFA) - REFEDS MFA Setup
Example of How to Validate a REFEDS MFA Assertion
Situation
Many InCommon service providers (SPs) currently require the REFEDS Research and Scholarship profile for authentication. Increasingly many also require identity providers to enforce the use of multifactor authentication (MFA) for all populations accessing their services.
See https://refeds.org/profile/mfa for details.
Identity providers enforcing the use of MFA must signal to the Cirrus Bridge that MFA was enforced in order for the Bridge to send the appropriate REFEDS MFA context to the downstream SP.
This post provides guidance about how to set up REFEDS MFA, and validate the appropriate REFEDS MFA authncontext was asserted to an SP.
Guidance on REFEDS MFA Setup
Any SPs that require REFEDS MFA, or that the IdP organization wants to enforce MFA for access, should use a Cirrus Bridge application configuration with an MFA policy enabled. For example, if the Cirrus Bridge “Default” application configuration does not require MFA, but the “R&S” one does, MFA will only be asked for when going to an “R&S” SP.
The MFA policies can enforce MFA for all audience members or can be granular. If MFA is required by the SP, it is recommended that all audience members be forced to use MFA so that the IdP handles asking for an MFA assertion gracefully. If left to the SP, errors confusing to the end user may occur in some cases. How the policies are applied varies for Azure AD, Okta, or other commercial IdP providers. Cirrus Support (support@cirrusidentity.com) can provide some configuration guidance.
Azure AD with Azure MFA - REFEDS MFA Setup
For applications that require MFA, or that you want Cirrus to assert REFEDS MFA authncontext, you can configure an Azure AD Conditional Access policy to require Azure MFA. Cirrus will then assert the appropriate REFEDS MFA authncontext to the SP.
1. Navigate to the application in Azure AD and select it. For this example, we will use the application, Cirrus Federation Bridge - CAS with MFA
3. Select New Policy
Users should be set to All users
Cloud apps or actions - Select apps and add the Cirrus Bridge application(s.) In this example, there is one application, Cirrus Federation Bridge - CAS with MFA.
Conditions - There should be 1 condition that includes 2 Client apps. See the picture below:
Client apps settings - example
Access Control - Grant
This is where you set MFA as required.
Grant - Select Grant access and ‘Require multifactor authentication’ as below.
Enable Policy and Save - At the bottom under Enable policy, select On and then Save.
Okta with Okta MFA - REFEDS MFA Setup
Okta can signal to the Cirrus Bridge that Okta MFA was used if you release the “session.amr” attribute to Cirrus. To do this, in Attribute Statements (pic below) add an attribute.
The Name of the attribute should be: session.amr
The Name format for session.amr should be: Unspecified
The Value should not be entered and left blank.
The attribute will be passed to the Cirrus Bridge as:
With this attribute released in Okta, Cirrus will correctly send the REFEDS MFA context to the downstream SP.
NOTE
One common gotcha is Okta may be configured to only release session.amr as a single, comma-separated value.
For example:
Cirrus needs the attribute to be released as multi-valued. To change this setting, you will need to make a request to Okta support to enable SAML_SUPPORT_ARRAY_ATTRIBUTES.
Azure AD or Okta using Duo MFA (or other non-native MFA) - REFEDS MFA Setup
When Azure AD or Okta are configured to use a non-native MFA, the IdPs do not automatically send the signal that MFA is enabled and therefore, the Cirrus Bridge is unaware of any MFA status. Customers must manually configure attributes/claims to send the desired MFA signal to the Cirrus Bridge.
Cirrus added an operation attribute cirrus.rule.authnContext to allow customers to signal to the Cirrus Bridge the authncontext rules in operation. When cirrus.rule.authnContext attribute is released with the value “https://refeds.org/profile/mfa”, the Cirrus Bridge will assert the appropriate MFA attributes to downstream SPs.
|
Use Case |
Attribute/Claim to Release |
Value |
Result |
|
Duo MFA is enforced for all users |
cirrus.rule.authnContext |
Cirrus will assert REFEDS MFA to downstream SPs |
Example of How to Validate a REFEDS MFA Assertion
Once you are set up in your IdP for REFEDS MFA, below is the steps to validate MFA was properly asserted. In the example, we are authenticating to our Athena Institute, the Cirrus test environment.
Note: The Athena Institute uses Azure AD for its IdP. However, the steps will be similar for Okta. Only the assertion data will look different. An Okta example is included below.
1. Navigate to a Cirrus testing endpoint URL. This is unique for your Cirrus Bridge implementation and will be provided to you by Cirrus.
a. Example: https://athena-bridge.proxy.cirrusidentity.com/demo.php
2. Authenticate. You should be prompted for MFA.
3. After successfully authenticating, you should see a screen for your institution similar to the one for the Athena Institute below. Click on the test authenticating with your Cirrus proxy link:
For Azure AD, the key attribute/claim is: http://schemas.microsoft.com/claims/authnmethodsreferences
You should see this in the left-hand column.
One of the claim values should be http://schemas.microsoft.com/claims/multipleauth
This indicates that MFA is enforced for all populations using the Cirrus bridge application.
For Okta the key attribute asserted, attribute session.amr, should have a value of mfa as in the picture below.
REFEDS MFA 1.1 Requirements
REFEDS MFA requirements continue to evolve. Cirrus Identity is committed to supporting the REFEDS standards. We are evaluating potential changes to these MFA requirements – as we learn about them and will provide enhancements to meet our customers’ needs. As we move forward, we will both share those changes with Cirrus Identity customers, and update this document.