Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

Technical implementation of identity assurance requires system changes from InCommon Operations, IdPs, and SPs. There are many different scenarios and choices.This page (and its child pages) capture lessons learned, recommended practices, and outstanding issues regarding the technical aspects of identity assurance.

Table of Contents
Info
titleThe Use of SAML V2.0

Participation in the InCommon Identity Assurance Program requires the use of SAML V2.0 Web Browser SSO. IdP and SP operators should plan for an to upgrade path to SAML V2.0as soon as possible.

Metadata management

InCommon Operations will add identity assurance qualifiers (IAQs) to published metadata following notification of certification by InCommon management. IAQs will be added to the appropriate IdP entity descriptor of the certified IdP operator (IdPO).

Proposed IAQ URIs are:

Silverhttp://id.incommon.org/assurance/silver
Bronzehttp://id.incommon.org/assurance/bronze

There will likely be a need for non-production IAQs for use in interoperability testing, probably with test instances of metadata:

Silverhttp://id.incommon.org/assurance/silver-test
Bronzehttp://id.incommon.org/assurance/bronze-test

Note that all of the above URIs will resolve to actual web pages at some point.

IAQs in metadata

The following extension element will be added to the IdP's entity descriptor in metadata:

...


<mdattr:EntityAttributes
     xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
    <saml:AttributeValue>http://id.incommon.org/assurance/silver</saml:AttributeValue>
    <saml:AttributeValue>http://id.incommon.org/assurance/bronze</saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

The <mdattr:EntityAttributes> element and the name of the <saml:Attribute> element are defined by relevant OASIS specifications.

Issues

  • The entity attribute and/or the IAQ has to be dated or versioned to indicate exactly what IAP is referred to.

SP behavior

Ideally SPs will initiate the assurance flow by including the desired IAQ in the SAML AuthnRequest element.

SPs will receive IAQs (either in response to a specific request, or sent unsolicited) in assertions from IdPs. SPs should use metadata to check that the IdP is authorized to assert the IAQs being asserting.

SPs will rely on local policy to decide how to handle incoming IAQs. For example if the SP requires InCommon Bronze but receives InCommon Silver, that should be acceptable.

Issues

  • Some SPs may not be able to use the AuthnRequest mechanism due to software or other limitations. Are they simply out of luck?
  • How is the AuthnRequest configured using the Shib SP?  The simpleSAMLphp SP?
  • Boarding process: Since an IAQ in metadata makes a statement about certification (not live service), how does an SP determine that an IdP supports assurance operationally (ala attribute support)? One approach is to include <saml:Attribute> elements in IdP metadata. Other approaches?
  • Does the Shib SP software support the metadata check? Does the simpleSAMLphp SP?
  • What matching rules are recommended, or acceptable?
  • How is an SP supposed to "know" that Silver is acceptable in lieu of Bronze? Is there a role for InCommon to provide "advice"?

IdP behavior

Ideally IdPs will receive a desired IAQ from an SP in an AuthnRequest to initiate the process. The IdP compares the requested IAQ to its matching rule and interacts with the local IdM system to determine if the current user meets the requirements. If so, the appropriate IAQ is returned in the AuthnContext element in the assertion.

Issues

  • What matching rules are supported?
  • If the SP requests Bronze, is it allowable for the IdP return Silver? How does the IdP "know" the mapping? Is there a role for InC to provide "advice"?
  • Is it possible and/or desirable for the IdP to return multiple IAQs? No, not using the AuthnContext element.
  • How does the Shib IdP interact with local IdM? Is a custom login handler required? Same question for simpleSAMLphp.
  • If an SP does not assert an IAQ in an AuthnRequest and the current user meets the requirements for one or more IAQs, should the IdP assert the IAQ(s).
  • Can the Shib (or SSP) IdP be configured to send IAQs without being requested?
  • If so, what are the appropriate policy knobs (per-SP, per-user, whatever)?

References

...

SAML V2.0 Support for Assurance

SAML's support for identity assurance is embodied in a concept called "Authentication Context". The context of an authentication event is designed to capture both technical and procedural elements that factor into the "confidence" expressed by the identity provider in the event. In terms of assurance, this maps to the concepts of technical strength and identity proofing strength that make up an assurance profile.

Every authentication statement issued by an IdP contains an <saml:AuthnContext> element that expresses the context of the authentication event. There are a variety of syntaxes supported, but the most common one is to define a "class" of authentication contexts that all share essential characteristics that are of interest to a relying party. These classes are mapped to URI constants that are expressed in an element called <saml:AuthnContextClassRef>, of which a single value can be expressed by the IdP in response to an authentication request.

In addition, SAML V2.0 SPs have the capability to include simple or complex matching requirements in their authentication requests that influence the Authentication Context supplied by the IdP. The intent is to allow IdPs that support varying levels of assurance to honor requests based on the requirements of the SP and not a one-size-fits-all policy. In practice, this approach can be tricky to implement and may depend on customization of one's software deployment.

Thus, we expect assurance deployment to be gradual, and we will continue to evolve documentation to reflect what we learn. We also encourage deployers to talk to their software suppliers about the support (or lack thereof) of these features.

InCommon Practices

See: InCommon Practices - Certification and Metadata

SP Behavior

See: Assurance - Service Provider Behavior.

IdP Behavior

See: Assurance - Identity Provider Behavior.

References

Attachments