Date: Thu, 28 Mar 2024 12:26:42 +0000 (GMT) Message-ID: <4503544.1581.1711628802408@a2be6a7a0dbc> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_1580_1526086838.1711628802407" ------=_Part_1580_1526086838.1711628802407 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
SWAMID has three defined levels of =
assurance, SWAMID AL1 (http://www.swamid.se/policy/assur=
ance/al1), SWAMID AL2&nbs=
p;(http://www.swamid.se/policy/assurance/al2<=
/span>) and SWAMID AL3 (http://ww=
w.swamid.se/policy/assurance/al3).
All by SWAMID approved assurance levels for an Identity Provider are def= ined in the SAML metadata as a SAML extended attribute urn:oasis:n= ames:tc:SAML:attribute:assurance-certification. The assurance certific= ation attribute in metadata defines what assurance profiles the Identity Pr= ovider and its home organisation has been approved for or has declared that= they fulfill.
The Identity Provider uses the attribute eduPersonAssurance (urn:oid:1.3.6.1.4.1.5923.1.1.1.11) to assert the logged in user's = assurance profile. Please observe that the Identity Provider must not indic= ate any other assurance profile than it's approved for. Signalin= g the user's assurance profile via the attribute eduPersonAssurance means t= hat the user validation fulfills all parts of the asserted assurance profil= e. Attribute mapping for eduPersonAssurance is defined as as= surance in 3.2 Configure Shibboleth SP - attribute-map.xm= l.
To check a user's assurance profile, you need to check that the Identity= Provider is approved for the same assurance profile as it has asserted for= the user. To do this you need to activate extended functionality in the Sh= ibboleth Service Provider. This extension is available since version 2.2.= p>
If the web application needs to check if a user is approved for an SWAMI= D Assurance Profile the application needs to check approved assurance profi= les for both the user and the used Identity Provider as described in the bu= llet list in this document.
Please note that this approach only checks that the Identity Provider an= d the user fulfills the checked assurance profile. To check that the creden= tials used to log in fulfills the assurance profile is more advanced and ne= eds more configuration of both Service Provider and Identity Provider.
Internationally within eduGAIN REFEDS Assurance Framework (RAF) is used = send information about the user assurance levels. RAF is different from SWA= MID Assurance Profiles, but they are more or less mappable. For Identity pr= oofing SWAMID A1 maps to RAF low (https://refeds.org= /assurance/IAP/low), SWAMID A2 maps to RAF medium (https://refeds.org/assurance/IAP/medium) and SWAMID A3 maps to RAF high (= https://refeds.org/assurance/IAP/high)= . REFEDS Assurance Framework is only signaled for users in the attribu= te eduPersonAssurance (urn:oid:1.3.6.1.4.1.5923.1.1.1.11).
Indication of uniqueness of identifiers is released as separate RAF valu=
es. If the identifier attribute eduPersonPrincipalName is used to iden=
tify the user and the identifier is unique for a specific person and w=
ill never be used for another person, eduPersonAssurance includes the value=
https://refeds.org/assu=
rance/ID/eppn-unique-no-reassign. If the newer
If the web application needs to check if a user is approved for a REFEDS= Assurance Framework claim the application needs to check approved assuranc= e values for the user.
Please note that this approach only checks that the Identity Provider an= d the user fulfills the checked assurance claims. To check that the credent= ials used to log in fulfills the assurance profile is more advanced and nee= ds more configuration of both Service Provider and Identity Provider.
"The Security Incident Res= ponse Trust Framework for Federated Identity (Sirtfi) aims to enable the co= ordination of incident response across federated organisations. This a= ssurance framework comprises a list of assertions which an organisation can= attest in order to be declared Sirtfi compliant." The purpose with REFEDS SIRTFI (https://refeds.org/sirtfi) framew= ork is to add trust based on a defined Best Current Practice on incident re= sponse and operational security.
All Identity Providers that has declared that they follow the REFEDS SIR= TFI framework are defined in the SAML metadata as a SAML extended attribute= urn:oasis:names:tc:SAML:attribute:assurance-certification. T= he assurance certification attribute in metadata defines what assurance pro= files the Identity Provider and it's home organisation has declared that th= ey fulfill or has been approved for.
Service Providers can also via metadata declare that they fulfill the RE= FEDS SIRTFI framework and that gives the Identity Providers added trust in = that the Service Providers fulfills the same Best Current Practice.
If the web application need to check if an Identity Provider has declare= d that they fulfill the security framework REFEDS SIRTFI the application ne= eds to check approved assurance profiles the Identity Provider metadata. Th= e web application may also use a filter in the Discovery Service that narro= w down the shown Identity Providers to only those who fulfills the framewor= k.
To get the approved assurance profiles from metadata you need to activat= e the Metadata Attribute Extraction extension in Shibboleth SP. This i= s done by extending the ApplicationDefaults tag in shibboleth2.xml by addin= g metadataAttributePrefix=3D"Meta-" after REMOTE_USER=3D"..."= , see example. This is a standard example in the file example-shibboleth2.xml in later versions of Shibboleth S= P. It is also included in the SWAMID Configure Shibboleth SP - SWAMID-shibbo= leth2.xml
<Appl= icationDefaults entityID=3D"https://example.com/shibboleth" REMOTE_USER=3D"eppn persistent-id targeted-id" metadataAttributePrefix=3D"Meta-">
Important information
Next step is to make approved assurance levels available in the applicat= ion. This is done attribute-map.xml the same way as normal Identity Provide= r asserted attributes. It is also included in 3.2 Configure Shibboleth SP = - attribute-map.xml
<Attr= ibute name=3D"urn:oasis:names:tc:SAML:attribute:assurance-certification" id= =3D"Assurance-Certification"/>
After the activation of Metadata Attribute Extension and the attribute d= efinition all Identity Provider approved assurance profiles are available i= n the multi-valued attribute Meta-Assurance-Certifica= tion.