...
In the IdP use scenario the IdP and MFA service agree on the integration method. The Haka federation operator provides a Shibboleth IdP authentication handler that the home organisations can install to their IdP. The plugin and the MFA service use OpenID Connect protocol in their message exchange, enabling also IdP products other than Shibboleth to use the MFA with the IdP initiated use scenario. The MFA service accepts authentication requests in both SAML2 and OpenID Connect protocols. OpenID Connect is used in the IdP integration to MFA. The SP integration can be done using either protocol.
Authentication methods
Currently the Haka MFA service uses Time-based One-Time Password algorithm (TOTP) standard RFC 6238 as an authentication method. In practice, the user can for instance have a TOTP compliant app (such as, Google authenticator) in their smartphone. In addition an SMS-based authentication is used in user registration. When a user is directed to the MFA service their identifier released from the IdP is examined. If the user has an existing second factor configured, the MFA can be invoked directly. If there are no existing second factors associated to the identifier, the user is directed to register and configure their second factor. The second factor registration is carried out by sending an SMS to the user's registered cellphone number.