...
Technical implementation of identity assurance requires system changes from InCommon Operations, IdPs, and SPs. This page captures (and its child pages) capture lessons learned, recommended practices, and outstanding issues regarding the technical aspects of identity assurance.
...
Every authentication statement issued by an IdP contains an <saml:AuthnContext> element that expresses the context of the authentication event. There are a variety of syntaxes supported, but the most common one is to define a "class" of authentication contexts that all share essential characteristics that are of interest to a relying party. These classes are mapped to URI constants that are expressed in an element called <saml:AuthnContextClassRef>, of which a single value can be expressed by the IdP in response to an authentication request.
In addition, SAML V2.0 SPs have the capability to include simple or complex matching requirements in their authentication requests that influence the Authentication Context supplied by the IdP. The intent is to allow IdPs that support varying levels of assurance to honor requests based on the requirements of the SP and not a one-size-fits-all policy. In practice, this approach can be tricky to implement and may depend on customization of one's software deployment.
Thus, we expect assurance implementation deployment to be gradual, and we will continue to evolve documentation to reflect what we learn. We also encourage deployers to talk to their software suppliers about the support (or lack thereof) of these features.
| Anchor | ||||
|---|---|---|---|---|
|
IAQs in
...
Metadata
InCommon Operations will add identity assurance qualifiers (IAQs) to published metadata following notification of certification by InCommon management. IAQs will be added to the appropriate IdP entity descriptor of the certified IdP operator (IdPO).
...
Proposed IAQ URIs are:
Silver: http://id.incommon.org/assurance/silver
Bronze: http://id.incommon.org/assurance/bronze
There will likely be a need for non-production IAQs for use in interoperability testing, probably with test instances of metadataIAQs to be used during interoperability testing:
Silver: http://id.incommon.org/assurance/silver-test
Bronze: http://id.incommon.org/assurance/bronze-test
Note that all of the above URIs will most likely resolve to actual web pages at some point.
Technical
...
Details
The following extension is the immediate child element of the IdP's <md:EntityEescriptor> element in metadata:
...
The <mdattr:EntityAttributes> element and the name of the SAML Attribute (urn:oasis:names:tc:SAML:attribute:assurance-certification) are defined by the OASIS specification entitled SAML V2.0 Metadata Extension for Entity Attributes and the OASIS SAML V2.0 Identity Assurance Profiles, respectively.
A complete, working metadata sample is attached to this wiki topic. To schema validate this sample metadata, you can use XmlSecTool:
...