Overview#

Authentication Context Class Values are the Authentication Context Class and Authentication Context Class Reference values we have been able to find that are defined.

OpenID Connect MODRNA Authentication Profile 1.0#

The OpenID Connect MODRNA Authentication Profile 1.0 defines acr_values as shown below.

http://schemas.openid.net/policies/modrna/phishing-resistant#

Short-Name: mod-pr This mitigates phishing of credentials.

The user is authenticated via possession of a Mobile Device (phone) containing a secret-key. The user is required to provide no additional authentication information to use the key. The user is interactively prompted to confirm the authentication. The storage mechanism for the secret key and other relevant authentication information is returned via the amr. The user is not re-prompted for credentials if the value of prompt is not login and max_age is more than the elapsed time since the user last authenticated at the requested acr.

http://schemas.openid.net/policies/modrna/multi-factor#

Short-Name: mod-mf This mitigates phishing and proves the device is recently in the possession of the authorized user via pin or device unlock. The user is authenticated via possession of a Mobile Device (phone) containing a secret-key. The user is required to provide additional authentication information via a biometric, pin code or other appropriate factors such as bluetooth paring with a watch. Given suitable Mobile Device management unlocking the device is also sufficient along with user confirmation of desire to authenticate. The storage mechanism for the secret-key and other relevant authentication information is returned via the amr value. The user is NOT re-prompted for credentials if the value of prompt is not login and max_age is more than the elapsed time since the user last authenticated at the requested acr.

Identity Provider (IDP) MUST recognize and process short registered forms of the authentication context strings. They may recognize and process long forms for custom authentication contexts.

Clients MUST send the short registered forms of the authentication context strings, if the authentication context is registered.

The OpenID Connect Provider MUST support receiving Authentication Context Class Values as a space separated list in order of preference per OpenID.Core section 3.1.2.1.

The OpenID Connect Provider MUST support receiving acr as a claim request in a signed request per OpenID.Core 5.5.1. This method prevents the request from being modified by the user, and allows the requested acr valued to be considered essential claims causing the Identity Provider (IDP) to respond with an authentication error if no requested acr value can be fulfilled.

Depending on the authentication capabilities of the users device, the OpenID Connect Provider MUST attempt to match the highest requested acr value that the AD is capable of. If the acr claim is not marked as Essential Claim in the request object, the OpenID Connect Provider may return another acr value that the device is capable of rather than an error if it cannot match any of the requested acr_values.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-2) was last changed on 04-Apr-2017 11:58 by jim