Skip to content Skip to site navigation Skip to service navigation

SAML Multi-factor Authentication Custom Profile


This Multi-Factor Authentication (MFA) Profile specifies requirements that an authentication event must meet in order to communicate the usage of MFA. It also defines a SAML authentication context for expressing this in SAML.

The MFA Authentication Context can be used by Service Providers to request that Identity Providers perform MFA as defined below and by IdPs to notify SPs that MFA was used.

The Profile Recommendation is based on the OASIS Authentication Context for SAML [1] and the MFA Interop Final Report by InCommon [2].


It should be noted that there are other assurance related issues, such as identity proofing and registration, that may be of concern to SPs when authenticating users. This profile, however, does not establish any requirements for those other issues; these may be addressed by other REFEDS profiles [3].


In a SAML assertion, compliance is communicated by asserting the AuthnContextClassRef:


By asserting the URI shown above, an Identity Provider claims that:

  • The authentication of the user’s current session used a combination of at least two of the four distinct types of factors defined in ITU-T X.1254: Entity authentication assurance framework, section 3.1.3, authentication factor (something you know, something you have, something you are, something you do) [4]. In addition, a second factor has been requested immediately.
  • The factors used are independent, in that access to one factor does not by itself grant access to other factors.
  • The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor.


  1. Kemp, John at al. “Authentication Context for the OASIS Security Assertion Markup Language(SAML) V2.” 15 March 2005:
  2. Herrington, Karen et al. “Multi-Factor Authentication (MFA) Interoperability Profile Working Group Final Report.” 23 June 2016:
  3. REFEDS Profiles are listed at:
  4. International Telecommunication Union. “Series X. Data Networks, Open System Communication and Security. Cyberspace security – Identity management. Entity authentication assurance framework. Standard X.1254.” September 2012:
Last modified May 2, 2018