Versions Compared

Old Version 41

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version Current

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Text in green shows where there is a difference between SWAMID Identity Assurance Level Profiles, i.e. the nearest "lower level".

Numbers between [ and ] are references to information further down in the page and is not part of eduPersonAssurance values.

Table of Contents

SWAMID Identity Assurance Profile 1

...

  • http://www.swamid.se/policy/assurance/al1
  • http://www.swamid.se/policy/assurance/al2
  • https://refeds.org/assurance
  • https://refeds.org/assurance/profile/cappuccino
  • https://refeds.org/assurance/ID/unique
  • https://refeds.org/assurance/ID/eppn-unique-no-reassign
  • https://refeds.org/assurance/IAP/low
  • https://refeds.org/assurance/IAP/medium
  • https://refeds.org/assurance/IAP/local-enterprise
  • https://refeds.org/assurance/ATP/ePA-1m

SWAMID Identity Assurance Profile 3 without multi-factor authentication

A user that fulfils SWAMID Identity Assurance Level 3 Profile should be signaled as SWAMID Identity Assurance Profile 2 when not performing a multi-factor authentication.

SWAMID Identity Assurance Profile 3 including multi-factor authentication

A user that fulfils SWAMID Identity Assurance Level 3 Profile should get the following values in the attribute eduPersonAssurance:

...

This attribute value signals that the values of the attributes eduPersonAffiliation and eduPersonScopedAffliation changes within one month from the departure from the organisation or change of organisational roles (i.e., if an employee no longer is defined as an employee or a student is no longer a student). In REFEDS Assurance Framework it's defined that “a departure” from an organisation takes place when the organisation decides that the user doesn’t have a continuing basis for the affiliation value and therefore loses their organisational role and privileges (i.e., can no longer speak for the organisation in that role).

The organisational business practices here may vary; for instance:

  • In some organisations a researcher loses their organisational role and privileges the day their employment or other contract ends, in some organisations there is a defined grace period.

  • In some universities a student loses their organisational role and privileges the day they graduate, in some organisations the student role and privileges remain effective until the end of the semester.

REFEDS Assurance Framework imposes no particular requirements on the organisational business practices regarding when the departure takes place. This value is intended to indicate only the maximum latency for the Identity Provider’s identity management system to reflect the departure in the user’s attributes.

Notice also that this section does not require that the departing user’s account must be removed or disabled; only that the affiliation attribute value as observed by the Service Provider is updated.

Technical implementation

SWAMID has published information in Swedish on how to configure release of assurance via the attribute eduPersonAssurance.