While signaling is out of scope for this work group, an understanding of how signaling occurs when the SAML protocol used by InCommon can help understanding of how an MFA profile will be used. For each of the following use cases, we describe how they would be (or would not be) addressed in the Multi-Context Broker (MCB) Model for the behavior of an IdP when multiple authentication methods are available.
The MCB Model assumes that each user is certified for specific authentication contexts, and each authentication context has an associated authentication method. Those certifications are stored in the IAM. This mechanism can be used to require, for example, that certain users must use MFA. More complex risk assessment strategies, however, would require custom code, although that code could, in many cases, be implemented as a "scripted attribute," so that the IdP can use continue to use the same mechanism. (Out of scope for the MFA Interoperability Profile.)
This is a direct application of our MFA profile. The SP requests the MFA profile as an authentication context, and the IdP invokes whatever specific authentication method it has associated with that profile. The SP is signaled in the response as to whether the request was successful. (In scope for the MFA Interoperability Profile.)
Assuming this use case is needed when the SP does not request an authentication context, then the MCB Model allows for the specification of a default context to be used for that SP. If the intent is to override an SP's request, then custom code would be required. It may also requiring violating the specification of the SP's requested context, so is not recommended. (Out of scope for the MFA Interoperability Profile.)
From the IdP's point of view, this is the same as SP initial request above. The SP requested the MFA profile at the time it is needed, essentially creating another session with the IdP, and the IdP responds accordingly. (In scope for the MFA Interoperability Profile.)