Versions Compared

Old Version 10

changes.mady.by.user David Wasley

Saved on

compared with

New Version 11

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
titleThe Use of SAML V2.0

Participation in the InCommon Identity Assurance Program requires the use of SAML V2.0 Web Browser SSO. IdP and SP operators should plan for an upgrade path to SAML V2.0.

...

Metadata management

InCommon Operations will add identity assurance qualifiers (IAQs) to the published metadata following notification of certification by InCommon management. These IAQs will apply be applied to the relevant IdP entries entity descriptors of the certified IdP operators (IdPOs).  

Proposed IAQ URIs are:

Silverhttp://id.incommon.org/assurance/silver
Bronzehttp://id.incommon.org/assurance/bronze

There will likely be a need for non-production IAQs for use in interop interoperability testing, probably with test instances of metadata.  Proposed test IAQs:

Silverhttp://id.incommon.org/assurance/silver-test
Bronzehttp://id.incommon.org/assurance/bronze-test

Note that all of the above URIs will resolve to real actual web pages at some point.

IAQs in metadata

The following extension element will be added to the IdP's entity descriptor in metadata:

Code Block
xml
xml

<mdattr:EntityAttributes
     xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute>
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
    <saml:AttributeValue>http://id.incommon.org/assurance/silver</saml:AttributeValue>
    <saml:AttributeValue>http://id.incommon.org/assurance/bronze</saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

The <mdattr:EntityAttributes> element and the name of the <saml:Attribute> element are defined by relevant OASIS specifications.

SP behavior

Ideally SPs will initiate the assurance flow by including the desired IAQ in the SAML AuthnRequest element.

...

SPs will rely on local policy to decide how to handle incoming IAQs.  For example if the SP requires InCommon Bronze but receives InCommon Silver, that should be acceptable.  How is an SP supposed to "know" this?  Is there a role for InC to provide "advice"?

IdP behavior

Ideally IdPs will receive a desired IAQ from an SP in an AuthnRequest to initiate the process.  The IdP compares the requested IAQ to its matching rule and interacts with the local IdM system to determine if the current user meets the requirements.  If so, the appropriate IAQ is returned in the AuthnContext element in the assertion.

...

  • Can the Shib (or SSP) IdP be configured to send IAQs without being requested?
  • If so, what are the appropriate policy knobs (per-SP, per-user, whatever)?

References