“认证方法”当AAD是SAML联合中的IdP并且需要MFA时，声明值。 [英] "Authentication Method" claim values when AAD is the IdP in a SAML federation and MFA is required.

问题描述

我找不到一个Microsoft文档，它会告诉我Azure AD声称为IdP的可能值的范围 在"认证方法"中在SAML断言中声明。

I cannot locate a Microsoft document that will tell me the range of possible values that Azure AD asserts as an IdP  in the "Authentication Method" claim in the SAML Assertion.

特别是我想要  SAML断言/声明将告诉服务提供商  Azure AD用户使用MFA进行身份验证。

In particular I want  a SAML assertion/claim that will tell the Service Provider  that the Azure AD user authenticated with MFA.

任何帮助表示赞赏。

谢谢，

David。

推荐答案

你好， 

Hello, 

这是标准  SAML中支持的身份验证上下文类列表。 

This is the standard  list of supported Authentication context classes in SAML. 

但是，您通常只能看到"集成Windows身份验证"。和Azure AD中的"用户名和密码"。 

However you will generally only see the ""Integrated Windows Authentication" and "Username and Password" from Azure AD. 

参考：  https://docs.microsoft.com/en-us/azure / active-directory / develop / single-sign-on-saml-protocol＃authnstatement

Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol#authnstatement

Azure AD不会在SAML响应中发出有关MFA的声明。作为解决方法，您可以考虑创建条件访问策略，只有当用户在访问此特定应用程序时执行MFA时才允许用户。因此，如果用户获得SAML
响应，则应用程序可以假定他执行了2FA。这需要Azure但是，AD高级许可证。 

Azure AD does not issue a claim about MFA in the SAML response. As a workaround , you can consider creating a conditional access policy which will allow users only if the users performs MFA while accessing this particular application. So if a user gets SAML response, then application can assume that he  performed 2FA. This requires Azure AD premium licenses though. 

希望这会有所帮助。 

Hope this helps. 

这篇关于“认证方法”当AAD是SAML联合中的IdP并且需要MFA时，声明值。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！