Versions Compared

Old Version 5

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 6

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In the SWAMID Federation Policy it's defined in the last paragraph in section 4.3 SWAMID Member that all SWAMID Members and their Subjects MUST fulfil one or more of the SWAMID Identity Assurance Profiles. This wiki page describes what attribute values should be release in the attribute for SWAMID Identity Assurance Profiles including mapped values for REFEDS Assurance Framework.

SWAMID Identity Assurance Profile 1

A user that fulfils SWAMID Assurance Level 1 Profile should get the following values in the attribute eduPersonAssurance:

  • http://www.swamid.se/policy/assurance/al1
  • https://refeds.org/assurance
  • https://refeds.org/assurance/profile/cappuccino
  • https://refeds.org/assurance/ID/unique [1]
  • https://refeds.org/assurance/ID/eppn-unique-no-reassign [2]
  • https://refeds.org/assurance/IAP/low
  • https://refeds.org/assurance/IAP/local-enterprise [3]
  • https://refeds.org/assurance/ATP/ePA-1m [4]

SWAMID Identity Assurance Profile 2

A user that fulfils SWAMID Assurance Level 3 Profile should get the following values in the attribute eduPersonAssurance:

  • http://www.swamid.se/policy/assurance/al1
  • http://www.swamid.se/policy/assurance/al2
  • https://refeds.org/assurance
  • https://refeds.org/assurance/profile/cappuccino
  • https://refeds.org/assurance/ID/unique [1]
  • https://refeds.org/assurance/ID/eppn-unique-no-reassign [2]
  • https://refeds.org/assurance/IAP/low
  • https://refeds.org/assurance/IAP/medium
  • https://refeds.org/assurance/IAP/local-enterprise [3]
  • https://refeds.org/assurance/ATP/ePA-1m [4]

SWAMID Identity Assurance Profile 3

A user that fulfils SWAMID Assurance Level 3 Profile should get the following values in the attribute eduPersonAssurance:

  • http://www.swamid.se/policy/assurance/al1
  • http://www.swamid.se/policy/assurance/al2
  • http://www.swamid.se/policy/assurance/al3
  • https://refeds.org/assurance
  • https://refeds.org/assurance/profile/cappuccino
  • https://refeds.org/assurance/profile/espresso
  • https://refeds.org/assurance/ID/unique [1]
  • https://refeds.org/assurance/ID/eppn-unique-no-reassign [2]
  • https://refeds.org/assurance/IAP/low
  • https://refeds.org/assurance/IAP/medium
  • https://refeds.org/assurance/IAP/high
  • https://refeds.org/assurance/IAP/local-enterprise [3]
  • https://refeds.org/assurance/ATP/ePA-1m [4]

Additional information on specific REFEDS Assurance Framework values

[1] https://refeds.org/assurance/ID/unique

In section 5.2.3 of all SWAMID Identity Assurance Profiles it's defined that a user must be represented with one or more unique identifiers. This attribute value defines that released values of the identifier attributes must be unique and never reused for another user. However, the value doesn't imply that you release all identifier attributes.

...

  • (Unique-1) The user identifier represents a single natural person;
  • (Unique-2) The CSP can contact the person to whom the identifier is issued;
  • (Unique-3) The user identifier is never re-assigned; and
  • (Unique-4) The user identifier is eduPersonUniqueId, SAML 2.0 persistent name identifier, SAML V2.0 Subject Identifier Attribute subject-id or SAML V2.0 Subject Identifier Attribute pairwise-id.

[2] https://refeds.org/assurance/ID/eppn-unique-no-reassign

In section 5.2.3 of all SWAMID Identity Assurance Profiles it's defined that a user must be represented with one or more unique identifiers. This attribute value defines that the released value of the attribute eduPersonPrincipalName must be unique and never reused for another user. However, the value doesn't imply that you release the attribute.

...

  • If the Identity Provider asserts eppn-unique-no-reassign, the Relying Party knows that when it observes a given ePPN value it will always belong to the same individual

[3] https://refeds.org/assurance/IAP/local-enterprise

In section 5.5.2 of all SWAMID Identity Assurance Profiles it's defined that the Identity Provider must have an availability that allows the Member Organisation to use it for internal systems.

[4] https://refeds.org/assurance/ATP/ePA-1m

There is no text about freshness of affiliation in SWAMID Identity Assurance Profiles. However, the definition of attribute freshness as defned in REFEDS Assurance Framework follows by good identity management practices.

...