What does Salesforce expect from IdP SAML Assertions to prove MFA?

Question

With respect to SAML SSO and required MFA effective Feb 1 2022...

What technical details can be provided by Salesforce so an IdP can be certain that it's SAML Assertion will be considered "valid" by SF?

Yes, we use Strong Authentication Methods/ MFA.

But what about the XML, what does Salesforce need from the IdPs to prove this?

Per the SAML specification, would you provide specific schema classes that will be allowable? For example... will MobileTwoFactorContract be the only allowed Authentication Context after Feb 2022?

#MFA - Getting Started

@* MFA - Getting Started *

Mat Hamlin · Accepted Answer

Salesforce will not be checking for proof of MFA from SSO logins in Feb '22.  Customers are contracturally obligated to meet the requirement.  That being said, we currently capture the Authentication Method Reference from all OpenID Connect Auth Providers and it's available for review on Login History objects.  In the future, we'll add support for SAML AuthnContext.   Generally, we have seen that the values returned by SSO providers is inconsistent and incomplete, so we do not have any current plans to enforce MFA in Salesforce based on these values.

Mat Hamlin · Answer

Correct.  The updated terms of service + the MFA FAQ describe the responsibilties for customers.       Incorrect and correct.  In Feb '22, there will not be any in-product enforement enabled.  The Feb '22 "enforcement" is purely contractural.  Customers will still need to configure MFA for users logging in directly to the Salesforce UI with username and password.  We will be adding features in late '22/early '23 to begin in-product enforcement, starting with new orgs.       When we do add enforcement features, it will only affect users logging into directly into the Salesforce UI.  SSO logins will not be affected.

What does Salesforce expect from IdP SAML Assertions to prove MFA?

Salesforce Identity

More Help