...
In addition, the diversity in HIgher Education IdP implementations and the supporting identity management and authentication systems, suggests a certain level of configurability and flexibility in how the Shibboleth IdP supports the bullets above. To support the Silver Identity Assurance profile, an organization may determine that bringing its password infrastructure into compliance is a viable option, where another may layer on a multi-factor solution and bypass the complexity and scope of the current password infrastructure. The solution must be able to manage the use of multiple authentication systems, contexts in which they are required, and the user’s ability to control their authentication method when multiple options exist.
The RFP was issues in July, 2013, based on the specifications in Assurance Enhancements for the Shibboleth Identity Provider (19 April 2013), was awarded and implementation began. Acceptance testing for the MCB completed in January, 2014, and the MCB was released in February, 2014.
Defining Some Terms
- Authentication Method. A method for authenticating the identity of the current user. Examples are username/password, X.509 client certificates, one-time password devices, etc. In the context of the MCB and Shibboleth, this is a specific instance of such a method. For example, the UC Irvine's UCInetID system (which is based on Kerberos software) is an Authentication Method, whereas the generic Kerberos software is not. (In this document, "Authentication Method" is often shortened to "Method" for brevity.)
- Authentication Context. The context of the authentication event that results in a SAML assertion sent from the IdP to an SP. Authentication Context is comprised of an Authentication Method, plus any other relevant criteria, such as the identity proofing and registration processes used to issue credentials to the current user. In SAML, only the name of an Authentication Context is sent between IdPs and SPs; the Authentication Method and other criteria associated with that name are documented separately. It should be noted that it is often the case the multiple Authentication Contexts form a hierarchy, in the sense that one Authentication Context's criteria may satisfy the criteria of another Authentication Context. For example, InCommon Silver satisfies the criteria for InCommon Bronze. (In this document "Authentication Context" is often shortened to "Context" for brevity.)
- Assurance Profile. Criteria related to the trustworthiness of SAML assertions, such as InCommon Bronze and Silver. Assurance Profiles are represented in SAML as Authentication Contexts.
...