Versions Compared

Old Version 35

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version Current

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Check for SWAMID Assurance Profiles (Swedish users)

SWAMID has three defined levels of assurance, SWAMID AL1 (http://www.swamid.se/policy/assurance/al1), SWAMID AL2 (http://www.swamid.se/policy/assurance/al2) and SWAMID AL3 (http://www.swamid.se/policy/assurance/al3).

...

The Identity Provider uses the attribute eduPersonAssurance (urn:oid:1.3.6.1.4.1.5923.1.1.1.11) to assert the logged in user's assurance profile. Please observe that the Identity Provider must not indicate any other assurance profile than it's approved for. Signaling the user's assurance profile via the attribute eduPersonAssurance means that the user validation fulfills all parts of the asserted assurance profile. Attribute mapping for eduPersonAssurance is defined as assurance in 3.2 Configure Shibboleth SP - attribute-map.xml.

...

Please note that this approach only checks that the Identity Provider and the user fulfills the checked assurance profile. To check that the credentials used to log in fulfills the assurance profile is more advanced and needs more configuration of both Service Provider and Identity Provider.

Check for REFEDS Assurance Framework (international users)

Internationally within eduGAIN REFEDS Assurance Framework (RAF) is used send information about the user assurance levels. RAF is different from SWAMID Assurance Profiles, but they are more or less mappable. For Identity proofing SWAMID A1 maps to RAF low (https://refeds.org/assurance/IAP/low), SWAMID A2 maps to RAF medium (https://refeds.org/assurance/IAP/medium) and SWAMID A3 maps to RAF high (https://refeds.org/assurance/IAP/high). REFEDS Assurance Framework is only signaled for users in the attribute eduPersonAssurance (urn:oid:1.3.6.1.4.1.5923.1.1.1.11).

Indication of uniqueness of identifiers is released as separate RAF values. If the identifier attribute eduPersonPrincipalName is used to identify the user and the identifier is unique for a specific person and will never be used for another person, eduPersonAssurance includes the value https://refeds.org/assurance/ID/eppn-unique-no-reassign. If the newer SAML V2.0 Subject Identifier Attributes Profile Version 1.0 attributes subject-id or pairwise-id is used to identify the user and the identifier is unique for a specific person and will never be used for another person, eduPersonAssurance includes the value https://refeds.org/assurance/ID/unique.

Expected Web Application behavior for SWAMID Assurance Profiles

If the web application needs to check if a user is approved for a REFEDS Assurance Framework claim the application needs to check approved assurance values for the user.

Please note that this approach only checks that the Identity Provider and the user fulfills the checked assurance claims. To check that the credentials used to log in fulfills the assurance profile is more advanced and needs more configuration of both Service Provider and Identity Provider.

...