Organisational Authentication Policy
A university may impose an authentication and mult-factor policy to its members. This can be done individually for each member by setting the attribute swissEduIDAffiliationSecurityPolicy
in their linked affiliation.
The organisational authentication policy is interpreted as a minimum requirement. When a user accesses a service, the authentication policy of a university is combined with the policies of other universities, with the service's configuration and with the user's security settings to an effective policy as described here.
Notes:
- A policy of an organisation can't generally disable MFA for any person. If a service enforces MFA, an organisation can not overrule this. Also, if User X has affiliations to Organisations A and B, then Organisation A can not weaken any MFA parameter from Organisation B.
- Respectively, if a policy enforces MFA for a user, then the user will be always required to login with MFA, even when accessing services of other organisations. For example, a user has affiliations to organisations A and B, with A which requires MFA through a policy. If B needs the user to access a service without MFA (e.g. an exam where they cannot use the phone as second factor), then the user will not be able to access the service. Enforcing MFA for a user should then be wisely evaluated and communicated beforehand.
- The MFA settings for a user will not automatically change if they lose an affiliation. However, the user might have the chance to lower the MFA parameters or even disable MFA if no policy enforcing it is left.
User attribute
swissEduIDAffiliationSecurityPolicy
swissEduIDAffiliationSecurityPolicy
is the attribute used as container storing various security related policies in affiliations. Its purpose is to make the organisation policies of a user accessible to the IdP. It is not to be used as SAML attribute or OIDC claim to be transmitted to services. However, just like other affiliation attributes, it is provisioned from an organisation to edu-ID using the push or pull method.
Name | swissEduIDAffiliationSecurityPolicy |
---|---|
Description | Security criteria to be applied to various processes, especially the login process. Policy applicable per affiliation. |
Vocabulary | JSON data containing the authentication criteria. Type of JSON data: AffiliationSecurityPolicy (see below) |
OID | 2.16.756.1.2.5.1.1.2025 |
# of values | single |
Example values |
{ "mfaPolicy" : { "mode" : "enforced" , "maxDeviceTrustDuration" : "P30D" , "allowedSecondFactorTypes" : [ "totp" , "sms" ] } } |
Required |
No An absent attribute generally means that no policy is applied through this affiliation. The default values (or more restrictive ones, if specified by other policies) will be used during a user login. |
Specification of AffiliationSecurityPolicy JSON Data:
{
"mfaPolicy"
: {
"mode"
: String,
"maxDeviceTrustDuration"
:
String
,
"allowedSecondFactorTypes"
:
Array.of(String)
}
}
At login time, every policy is taken into account and each field is considered independently from the others. Only the most restrictive setting for each field is considered.
To fall back to the default value, a field could either be set to null or be not declared.
mode: configures whether the user should always authenticate with MFA or not
enforced
: Always require MFAoptional
: Don't require MFA
Default value: optional
maxDeviceTrustDuration: sets the maximum duration of the "remember browser" feature.
- ISO 8601 time duration (e.g.
P7D
): Maximum duration, independent of current SSO session. - A value of 0 is specified as
P0D
(orPT0S
), i.e. as a regular ISO 8601 time duration. Its meaning is: Don't enable and don't evaluate "remember browser" checkbox. Ask for the second factor if the current SSO session requires it.
Default value: 30 days (P30D
)
allowedSecondFactorTypes: is a list of allowed 2-step login token types. Supported types/combinations:
["totp"]
["totp","sms"]
Default value: all second factor types are supported (["totp","sms"]
)
Note: Setting this value to []
(empty list) strictly means "don't allow any second factor type" and is currently not supported.
Examples
All these examples only show a single policy. Every setting can always be overridden by more restrictive policies imposed by other organizations/affiliations or by service or user settings.
Example 1:
{
"mfaPolicy"
: {
"mode"
:
"enforced"
,
"maxDeviceTrustDuration"
:
"P30D"
,
"allowedSecondFactorTypes"
: [
"totp"
]
}
}
MFA is enforced for all services the user accesses to. The user has to use an authenticator app (or similar program with TOTP support) as second factor. SMS is not permitted. An MFA session has a lifetime of 30 days on the same device.
Example 2:
{
"mfaPolicy"
: {
"mode"
:
"enforced"
}
}
MFA is enforced for all services the user accesses to. The user may use SMS or an authenticator app (default) as second factor. An MFA session has a lifetime of 30 days (default) on the same device.
Example 3:
{
}
MFA is not enforced for this user by the organisation.