Net-Inspect SSO MFA Integration Requirements
Purpose
The purpose of this document is to describe the integration requirements for a Net-Inspect customer identity provider using a Multi-Factor Authentication (MFA) solution which is intended to supersede the MFA requirements imposed by Net-Inspect during the sign-in process into Net-Inspect. If an identity provider can provide sufficient information in the SAML response indicating that the user has performed Multi-Factor Authentication successfully, Net-Inspect will respect this attribute and do not enforce MFA if required. This document identifies the various methods that can be used to relay this information to Net-Inspect during the SSO handshake.
Assertion Attributes
The attribute statement in a SAML assertion can include attributes that would instruct Net-Inspect to bypass Net-Inspect MFA and trust the issuer of the SAML token which indicated MFA was already performed by the user. For example, as shown below in Figure 1, Microsoft Azure AD provides the following attributes when MFA has been performed for a user during SSO while signing in to a service provider application. Net-Inspect supports MFA attribute processing for the providers and attributes listed in Table 2.
Figure 1 - Microsoft Azure AD SAML Attribute Indicating MFA Status by Identity Provider
If any of the attributes listed on Table 2 are present in a SAML response sent to Net-Inspect, Net-Inspect will bypass its MFA enforcement during sign-in and record and show successful MFA status during sign-in for that session.
Authentication Context
Net-Inspect also supports MFA bypass through the usage of the Authentication Context statement in the SAML response. The Authentication Context included in the SAML Assertion can much like the Assertion Attributes indicate that the user has already performed MFA before being directed to Net-Inspect. Figure 2 shows the Authentication Context presented by Duo in a SAML Assertion indicating that the user has already performed MFA. Table 2 includes the full list of supported Authentication Context values which would indicate to Net-Inspect that the user has already performed MFA.
Figure 2 - SAML Authentication Context Indicating MFA by Identity Provider
Table 1 - Authentication Context URI Indicating MFA by Identity Provider
Authentication Context URI |
https://refeds.org/profile/mfa |
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered |
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract |
urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard |
urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI |
urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken |
Table 2 - Supported Assertion Attributes for MFA Bypass
Provider | Assertion Attribute | Attribute Value indicating MFA |
Generic | IsMFA | Yes |
Azure | http://schemas.microsoft.com/claims/authnmethodsreferences | http://schemas.microsoft.com/claims/multipleauthn |
Azure | http://schemas.microsoft.com/claims/authnmethodsreferences | http://schemas.microsoft.com/claims/deviceauthn |
Azure | http://schemas.microsoft.com/claims/authnmethodsreferences | http://schemas.microsoft.com/ws/2012/12/authmethod/otp |
Azure | http://schemas.microsoft.com/claims/authnmethodsreferences | http://schemas.microsoft.com/ws/2012/12/authmethod/voicebiometric |
Azure | http://schemas.microsoft.com/claims/authnmethodsreferences | http://schemas.microsoft.com/ws/2012/12/authmethod/phoneconfirmation |
Azure | http://schemas.microsoft.com/claims/authnmethodsreferences | http://schemas.microsoft.com/ws/2012/12/authmethod/phoneappnotification |
Azure | http://schemas.microsoft.com/claims/authnmethodsreferences | http://schemas.microsoft.com/ws/2012/12/authmethod/smsotp |
Azure | http://schemas.microsoft.com/claims/authnmethodsreferences | http://schemas.microsoft.com/ws/2012/12/authmethod/smsreply |
Ping 1 | pingid.authentication.type | MOBILE_APP_BIOMETRICS |
Ping 1 | pingid.authentication.type | MOBILE_APP_SWIPE |
Ping 1 | pingid.authentication.type | MOBILE_APP_OTP |
Ping 1 | pingid.authentication.type | SMS |
Ping 1 | pingid.authentication.type | VOICE |
Ping 1 | pingid.authentication.type | DESKTOP_OTP |
Ping 1 | pingid.authentication.type | YUBIKEY |
Ping 1 | pingid.authentication.type | SECURITY_KEY |
Ping 1 | pingid.authentication.type | FIDO2_BIOMETRICS |
Ping 1 | pingid.authentication.type | OATH_TOKEN |
Ping 1 | pingid.authentication.type | AUTHENTICATOR_APP |
Exostar 2 | credentialtype1 | oob_otp |
Exostar 2 | credentialtype1 | sf _otp |
Exostar 2 | credentialtype1 | mob_push |
Exostar 2 | credentialtype1 | mob_otp |
Exostar 2 | credentialtype1 | bloa_sof t_cert |
Exostar 2 | credentialtype1 | mloa_sof t_cert |
Exostar 2 | credentialtype1 | mf _otp |
Exostar 2 | credentialtype1 | mloa_hard_cert |