The federated identity model provides a solution for user authentication across multiple administrative domains. The academic federations, such as the Brazilian federation, are examples of this model in practice. The majority of institutions that participate in academic federations employ password-based authentication for their users, with an attacker only needing to find out one password in order to personify the user in all federated service providers. Multi-factor authentication emerges as a solution to increase the robustness of the authentication process. This article aims to introduce a comprehensive and open source solution to offer multi-factor authentication for Shibboleth Identity Providers. Based on the Multi-factor Authentication Profile standard, our solution provides three extra second factors (One-Time Password, FIDO2 and Phone Prompt). The solution has been deployed in the Brazilian academic federation, where it was evaluated using functional and integration testing, as well as security and case study analysis.

中文翻译：

---

shibboleth身份提供者的多因素身份验证

联合身份模型为跨多个管理域的用户身份验证提供了一种解决方案。在实践中，诸如巴西联邦这样的学术联合会就是这种模式的例子。参加学术联盟的大多数机构都为其用户使用基于密码的身份验证，而攻击者只需要找出一个密码即可在所有联合服务提供商中个性化用户。多因素身份验证作为增加身份验证过程的鲁棒性的解决方案而出现。本文旨在介绍一种全面的开源解决方案，为Shibboleth身份提供商提供多因素身份验证。根据多因素身份验证配置文件标准，我们的解决方案提供了三个额外的第二因素（一次性密码，FIDO2和电话提示）。该解决方案已部署在巴西学术联合会中，并在其中使用功能和集成测试以及安全性和案例分析进行了评估。