This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Authentication Context Class Values
Authentication Context Class Values

Version management

Difference between version and

At line 1 added 34 lines
!!! Overview
[{$pagename}] are the [Authentication Context Class] and [Authentication Context Class Reference] values we have been able to find that are defined.
!! [OpenID Connect MODRNA Authentication Profile 1.0]
The [OpenID Connect MODRNA Authentication Profile 1.0] defines the [acr_values] as shown below.
! http://schemas.openid.net/policies/modrna/phishing-resistant
Short-Name: [mod-pr] This mitigates phishing of credentials.
The user is authenticated via possession of a [Mobile Device] (phone) containing a [secret-key]. The user is required to provide no additional authentication information to use the key. The user is interactively prompted to confirm the [authentication]. The storage mechanism for the secret key and other relevant authentication information is returned via the [amr]. The user is not re-prompted for credentials if the value of prompt is not login and max_age is more than the elapsed time since the user last authenticated at the requested [acr].
! http://schemas.openid.net/policies/modrna/multi-factor
Short-Name: [mod-mf]
This mitigates [phishing] and proves the device is recently in the possession of the authorized [End-User] via [PIN] or device unlock.
The user is authenticated via possession of a [Mobile Device] (phone) containing a [secret-key]. The [End-User] is required to provide additional [authentication] information via a [biometric], [PIN] code or other appropriate factors such as bluetooth pairing with a watch. Given suitable [Mobile Device] management unlocking the device is also sufficient along with user confirmation of desire to authenticate. The storage mechanism for the [secret-key] and other relevant [authentication] information is returned via the [amr] value. The user is __NOT__ re-prompted for [credentials] if the value of [prompt|Prompt Parameter] is not login and [max_age] is more than the elapsed time since the user last authenticated at the requested [acr].
[Identity Provider (IDP)] [MUST] recognize and process __short registered forms __of the authentication context strings. They may recognize and process long forms for custom authentication contexts.
Clients [MUST] send the short registered forms of the authentication context strings, if the authentication context is registered.
The [OpenID Connect Provider] [MUST] support receiving [{$pagename}] as a space separated list in order of preference per [OpenID.Core] section 3.1.2.1.
The [OpenID Connect Provider] [MUST] support receiving [acr] as a claim request in a signed request per [OpenID.Core] 5.5.1. This method prevents the request from being modified by the user, and allows the requested [acr] valued to be considered [Essential Claims] causing the [Identity Provider (IDP)] to respond with an authentication error if no requested [acr] value can be fulfilled.
Depending on the authentication capabilities of the users device, the [OpenID Connect Provider] [MUST] attempt to match the highest requested [acr] value that the AD is capable of.
If the [acr] claim is not marked as [Essential Claim] in the request object, the [OpenID Connect Provider] may return another [acr] value that the device is capable of rather than an error if it cannot match any of the requested [acr_values].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop