Organisational Authentication Policy

A university may impose an authentication and mult-factor policy to its members. This can be done individually for each member by setting the attribute swissEduIDAffiliationSecurityPolicy in their linked affiliation.

The organisational authentication policy is interpreted as a minimum requirement. When a user accesses a service, the authentication policy of a university is combined with the policies of other universities, with the service's configuration and with the user's security settings to an effective policy as described here.

Notes:

  • A policy of an organisation can't generally disable MFA for any person. If a service enforces MFA, an organisation can not overrule this. Also, if User X has affiliations to Organisations A and B, then Organisation A can not weaken any MFA parameter from Organisation B.
  • Respectively, if a policy enforces MFA for a user, then the user will be always required to login with MFA, even when accessing services of other organisations. For example, a user has affiliations to organisations A and B, with A which requires MFA through a policy. If B needs the user to access a service without MFA (e.g. an exam where they cannot use the phone as second factor), then the user will not be able to access the service. Enforcing MFA for a user should then be wisely evaluated and communicated beforehand.
  • The MFA settings for a user will not automatically change if they lose an affiliation. However, the user might have the chance to lower the MFA parameters or even disable MFA if no policy enforcing it is left.

User attribute

swissEduIDAffiliationSecurityPolicy

swissEduIDAffiliationSecurityPolicy is the attribute used as container storing various security related policies in affiliations. Its purpose is to make the organisation policies of a user accessible to the IdP. It is not to be used as SAML attribute or OIDC claim to be transmitted to services. However, just like other affiliation attributes, it is provisioned from an organisation to edu-ID using the push or pull method.

Name swissEduIDAffiliationSecurityPolicy
Description  Security criteria to be applied to various processes, especially the login process. Policy applicable per affiliation.
 Vocabulary JSON data containing the authentication criteria.
Type of JSON data: AffiliationSecurityPolicy (see below)
 OID 2.16.756.1.2.5.1.1.2025
 # of values single
Example values 
{
  "mfaPolicy": {
    "mode": "enforced",
    "maxDeviceTrustDuration": "P30D",
    "allowedSecondFactorTypes": ["totp", "sms"]
  }
}
Required 

No

An absent attribute generally means that no policy is applied through this affiliation. The default values (or more restrictive ones, if specified by other policies) will be used during a user login.

 

Specification of AffiliationSecurityPolicy JSON Data:

{
  "mfaPolicy": {
    "mode": String,
    "maxDeviceTrustDuration": String,
    "allowedSecondFactorTypes": Array.of(String)
  }
}

 

At login time, every policy is taken into account and each field is considered independently from the others. Only the most restrictive setting for each field is considered. 

To fall back to the default value, a field could either be set to null or be not declared.

 

mode: configures whether the user should always authenticate with MFA or not

  • enforced: Always require MFA
  • optional: Don't require MFA

Default value: optional

 

maxDeviceTrustDuration: sets the maximum duration of the "remember browser" feature.

  • ISO 8601 time duration (e.g. P7D): Maximum duration, independent of current SSO session.
  • A value of 0 is specified as P0D (or PT0S), i.e. as a regular ISO 8601 time duration. Its meaning is: Don't enable and don't evaluate "remember browser" checkbox. Ask for the second factor if the current SSO session requires it.

Default value: 30 days (P30D)

 

allowedSecondFactorTypes: is a list of allowed 2-step login token types. Supported types/combinations:

  • ["totp"]
  • ["totp","sms"]

Default value: all second factor types are supported (["totp","sms"])

Note: Setting this value to [] (empty list) strictly means "don't allow any second factor type" and is currently not supported.

 

Examples

All these examples only show a single policy. Every setting can always be overridden by more restrictive policies imposed by other organizations/affiliations or by service or user settings.

Example 1:

{
  "mfaPolicy": {
    "mode": "enforced",
    "maxDeviceTrustDuration": "P30D",
    "allowedSecondFactorTypes": ["totp"]
  }
}

MFA is enforced for all services the user accesses to. The user has to use an authenticator app (or similar program with TOTP support) as second factor. SMS is not permitted. An MFA session has a lifetime of 30 days on the same device.

Example 2:

{
  "mfaPolicy": {
    "mode": "enforced"
  }
}

MFA is enforced for all services the user accesses to. The user may use SMS or an authenticator app (default) as second factor. An MFA session has a lifetime of 30 days (default) on the same device.

Example 3:

{
}

MFA is not enforced for this user by the organisation.