Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

2nd Factor in full-mesh federation

(Eimantas Šerpenskas)

Haka mesh step-up:

Federation architectures:

Software, used in most IdPs:

Level of Assurance Authentication Context Profiles for SAML 2.0:

Way SP could ask for particular level of assurance(s):

urn:oasis:names:tc:SAML:2.0:ac:classes:Password urn:oasis:names:tc:SAML:2.0:ac:classes:TimesyncToken

In home organization, it could be (and is) realized, creating SimpleSAMLphp module that checks for asked LoA and forces to authenticate on additional sources, f.e.: ‘ldap’ => array( … ), ‘facebook’ => array( … ), ‘googleauth’ => array( … ),

'multisourceauth' => array(

    'contexts' => array(
        '' => array('facebook'),
        '' => array('ldap'),
        '' => array('ldap', 'googleauth')
    'defaultContext' => ''

What way it could be done for whole federation, putting this functionality in some proxy or otherwise? Or I’ve got a proposal to change architecture to Hub and Spoke :)