@@ -36,8 +36,8 @@ Test accounts for use on [[https://mfa-dev.ed.switch.ch/index.html|mfa-dev]]
### Considerations about Shibboleth and the SAML environment ###
* Connection between a login flow and [[ http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf | SAML Authentication Context Classes ]]. What class to use for a new flow?
* Is it possible to combine login flows (sequence, alternative, choice, ...)? if so, how? Answer from devs: [[https://shibboleth.net/pipermail/dev/2015-July/006954.html|no]].
* Connection between a login flow and [SAML Authentication Context Classes](http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf). What class to use for a new flow?
* Is it possible to combine login flows (sequence, alternative, choice, ...)? if so, how? Answer from devs: [no](https://shibboleth.net/pipermail/dev/2015-July/006954.html).
* Flow support for forced authentication and passive authentication.
* Where does the verification of the second factor happen? Inside or outside the IdP process? Are existing extension points sufficient?
...
...
@@ -142,9 +142,9 @@ Voici cependant quelques compléments qui ont été discutés en séance:
### Questions ###
* Is it possible to specify the desired authentication method (SAML authnContextClassRef) on specific URLs in the Apache configuration?\\**Yes**, according to [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig|NativeSPApacheConfig]], any [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings|content setting]] can be given with the ''ShibRequestSetting'' directive, in particular ''authnContextClassRef'', ''authnContextComparison'' and ''forceAuthn''. Additionally, it is possible to request more than one authentication method.
* Is it possible to specify the desired authentication method (SAML authnContextClassRef) on specific URLs in the Apache configuration?\\**Yes**, according to [NativeSPApacheConfig](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig), any [content setting](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings) can be given with the ''ShibRequestSetting'' directive, in particular ''authnContextClassRef'', ''authnContextComparison'' and ''forceAuthn''. Additionally, it is possible to request more than one authentication method.
* Same question as above with "force authentication".\\**Yes** with ''ShibRequestSetting forceAuthn true'', see above.
* Is there a session timeout per authentication method on the SP?\\**Yes**, but not directly. Session timeouts can be changed per application (in the SP sense). For example, An [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride|ApplicationOverride]] could specify a [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions|Sessions]] element with MFA-specific timeouts (available settings are ''lifetime'', ''timeout'' and ''maxTimeSinceAuthn''), then this application can be referenced in the Apache configuration with ''ShibRequestSetting applicationId foo''.
* Is there a session timeout per authentication method on the SP?\\**Yes**, but not directly. Session timeouts can be changed per application (in the SP sense). For example, An [ApplicationOverride](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride) could specify a [Sessions](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions) element with MFA-specific timeouts (available settings are ''lifetime'', ''timeout'' and ''maxTimeSinceAuthn''), then this application can be referenced in the Apache configuration with ''ShibRequestSetting applicationId foo''.
