- Created by Albert Wu (internet2.edu), last modified by Scott Cantor (osu.edu) on Sep 16, 2021
Jump to:
Overview
eduPersonAssurance
delivers a set of URIs that expresses a user credential's compliance with specific standards for identity assurance. This multi-valued attribute represents identity assurance profiles (IAPs), which are the set of standards that are met by an identity assertion, based on the Identity Provider's identity management processes and the strength of the binding between those processes and the real world identity of the subject.
eduPersonAssurance
is defined in the eduPerson→ LDAP object class.
Use in the InCommon Federation
When implementing the REFEDS Assurance Framework (RAF), an identity provider communicates to a service provider in the SAML assertion that the signed-in user meets identity proofing and credentialing assurance requirements using the eduPersonAssurance
attribute.
A user may meet multiple IAP requirements defined in RAF. In these cases, the identity provider should send ALL applicable RAF values.
Applicable Values
See the REFEDS Assurance Framework for specific value definitions.
The REFEDS Assurance Framework defines a range of values to signal varying levels of identity proofing and credential issuance. The Identity Assurance Profile values (sections 2.2), in particular, are hierarchical, i.e., qualifying for a higher level of assurance also qualifies the credential for a lower level. For example, a credential meeting the requirements of /IAP/medium
also meets the requirements of /IAP/low
.
When asserting a person's assurance level, the identity provider should send ALL applicable RAF values, not only the highest one. If a credential meets the requirements for /IAP/medium
, the identity provider should assert /IAP/medium
AND /IAP/low
.
Examples
Example 1
In this example:
- the identity management system satisfies the baseline expectations for Identity Providers
the identity management system has issued the signed-in user a unique identifier value (
/ID/Unique
)the user is ID-proofed face-to-face using government-issued photo-ID (
/IAP/medium
)the user has access to mission critical enterprise systems (
/IAP/local-enterprise
)
These qualifications means the identity provider should assert the following assurance attribute values:
https://refeds.org/assurance
https://refeds.org/assurance
/ID/unique
https://refeds.org/assurance/IAP/local-enterprise
https://refeds.org/assurance/IAP/low
https://refeds.org/assurance/IAP/medium
In SAML 2.0, this looks like:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="..." Version="2.0" IssueInstant="2020-07-17T01:01:48Z" Destination="...." InResponseTo="..."> ... <saml:Assertion ...> ... <saml:AttributeStatement> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" FriendlyName="eduPersonAssurance"> <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance</saml:AttributeValue> <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/ID/unique</saml:AttributeValue> <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/IAP/medium</saml:AttributeValue> <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/IAP/low</saml:AttributeValue> <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/IAP/local-enterprise</saml:AttributeValue> </saml:Attribute> ... </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
The remaining examples omit the SAML syntax for brevity.
See Also
Example 2
In this example, the user is a guest. Guests, for the purposes of this example, prove control of an email address and provide self-asserted personal information and so qualify for IAP "low", but are not generally given any access to enterprise systems.
Summarizing:
- the identity management system satisfies the baseline expectations for Identity Providers
the identity management system has issued the signed-in user a unique identifier value (
/ID/Unique
)the user controls an email account and has self-asserted their information (
/IAP/low
)
These qualifications means the identity provider should assert the following assurance attribute values:
https://refeds.org/assurance
https://refeds.org/assurance
/ID/unique
https://refeds.org/assurance/IAP/low
Example 3
In this example, the user can login to the Identity Provider via a social identity that masks much of their information and the organization has very little control over or trust in the credential's binding to a person. Furthermore, the IdP is passing through an identifier managed by the social identity source and that may be reassigned.
Summarizing:
- the identity management system satisfies the baseline expectations for Identity Providers
- the identity management system does not possess a reliably unique identifier for the user
- the identity management system does not wish to vouch for any aspect of the processes used by the social identity provider
These qualifications means the identity provider should assert only the following assurance attribute value:
https://refeds.org/assurance
The single value provides no additional confidence in this specific social identity but does indicate to the relying party that the organization is compliant with the REFEDS Assurance Framework and that the absence of additional values is deliberate.
Working with user data
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
Related content
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
Get help
Can't find what you are looking for?