...
The Identity Provider uses the attribute eduPersonAssurance to assert the logged in user's assurance profle. Please observe that the Identity Provider must not indicate any other assurance profile than it's approved for. Signaling the user's assurance profile via the attribute eduPersonAssurance means that the user verfication fulfills all parts of the asserted assurance profile. Attribute mapping for eduPersonAssurance is defined as assurance in 3.2 Configure Shibboleth SP - attribute-map.xml.
- An Identity Provider that has an assurance certfication in metadata for SWAMID AL2 is allowed to assert that a user is approved for SWAMID AL2.
- An Identity Provider that has an assurance certfication in metadata for SWAMID AL1 is allowed to assert that a user is approved for SWAMID AL1.
- An Identity Provider that has no assurance certfication in metadata is not allowed to assert that a user is approved for a SWAMID assurance profile.
...
To get the approved assurance profiles from metadata you need to activate the Metadata Attribute Extraction extension in Shibboleth SP. This is done by extending the ApplicationDefaults tag in Shibboleth2.xml by adding metadataAttributePrefix="Meta-" after REMOTE_USER="...", see example. This is a standard example in the file example-shibboleth2.xml in later versions of Shibboleth SP. It is also included in the SWAMID Configure Shibboleth SP - SWAMID-shibboleth2.xml
| Code Block | ||||
|---|---|---|---|---|
| ||||
<ApplicationDefaults
entityID="https://example.com/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id"
metadataAttributePrefix="Meta-"> |
...
Next step is to make approved assurance levels available in the application. This is done attribute-map.xml the same way as normal Identity Provider asserted attributes. It is also included in 3.2 Configure Shibboleth SP - attribute-map.xml
| Code Block | ||||
|---|---|---|---|---|
| ||||
<Attribute name="urn:oasis:names:tc:SAML:attribute:assurance-certification" id="Assurance-Certification"/> |
...