Organizational Authentication Policy
The organizational authentication policy feature is currently under development
A university may impose an authentication and mult-factor policy to its members. This can be done individually for each member by setting the attribute swissEduIDAffiliationSecurityPolicy in her/his linked affiliation.
The organizational authentication policy is interpreted a minimal requirement. When a user accesses a service, the authentication policy a university is combined with the policies of other univerversities, with the service's configuration and with the user's security settings to an effective policy as described here.
Notes:
- A policy of an organization can't generally disable MFA for any person. If a service enforces MFA, an organisation can not overrule this. Also, if User X has affiliations to Organisations A and B, then Organisation A can not overrule any MFA parameters from Organisation B.
- The MFA settings for a user will not automatically change if she/he loses an affiliation. However, the user might have the chance to lower the MFA parameters or even disable MFA.
User attribute
swissEduIDAffiliationSecurityPolicy
swissEduIDAffiliationSecurityPolicy is the attribute used as container to store various security related policies in affiliations. The purpose is to make the organization policy for a user accessible to the IdP. It is not to be used as SAML attribute or OIDC claim to be transmitted to services. However, just like other affiliation attributes, it is provisioned from an organization to edu-ID using the push or pull method.
| Name | swissEduIDAffiliationSecurityPolicy |
|---|---|
| Description | Security criteria to be applied to various processes, especially the login process. Policy applicable per affiliation. |
| Vocabulary | JSON data containing the authentication criteria. Type of JSON data: AffiliationSecurityPolicy (see below) |
| OID | 2.16.756.1.2.5.1.1.2025 |
| # of values | single |
| Example values |
{ "mfaPolicy": { "mode": "enforced", "maxDeviceTrustDuration": "P30D", "allowedSecondFactorTypes": ["totp", "sms"] }} |
| Required |
No An absent attribute is equivalent to an attribute with an empty value (i.e. corresponds to JSON value |
Specification of AffiliationSecurityPolicy JSON Data:
{ "mfaPolicy": { "mode": String,
"maxDeviceTrustDuration": String, "allowedSecondFactorTypes": Array.of(String) }}mode: is a string and accepts the following values:
- enforced: Always require MFA
- disabled: Don't require MFA. (Default value)
- on_demand: Require MFA if service reqests it (deprecated)
Default value: disabled
maxDeviceTrustDuration: sets the maximum duration of the "remember browser" feature.
- ISO 8601 time duration (e.g. "P7D"): Maximum duration, independent of current SSO session.
- A value of 0 is specified as P0D (or PT0S), i.e. as a regular ISO 8601 time duration.
Its meaning is: Don't enable and don't evaluate "remember browser" this time. Ask for the second factor if the current SSO session requires it.
If not set, a default value will be applied when the policy is evaluated (currently 30 days).
allowedSecondFactorTypes: is a list of allowed 2-step login token types. Supported types/combintations:
- [totp]
- [totp,sms]
If not set, a default value will be applied when the policy is evaluated (i.e. all supported second factor types are considered). That is, to allow any type, the property must not be set.
Note: Setting this value to [] (empty list) strictly means "don't allow any second factor type" and should never be used.