- Created by Albert Wu (internet2.edu) on May 11, 2021
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
Version 1 Next »
Jump to:
Overview
eduPersonAssurance
delivers a set of URI's that expresses a user credential's compliance with specific standards for identity assurance. This multi-valued attribute represents identity assurance profiles (IAPs), which are the set of standards that are met by an identity assertion, based on the Identity Provider's identity management processes, the type of authentication credential used, the strength of its binding, etc.
eduPersonAssurance
is defined in the eduPerson→ LDAP object class.
Use in the InCommon Federation
When implementing the REFEDS Assurance Framework (RAF), an identity provider communicates to a service provider in the SAML assertion that the signed-in user meets identity proofing and credentialing assurance requirements using the eduPersonAssurance
attribute.
A user may meet multiple requirements defined of RAF identity provider should send ALL applicable RAF values when
Applicable Values
See REFEDS Assurance Framework for specific value definitions.
The REFEDS Assurance Framework defines a range of values to signal varying levels of identity proofing and credential issuance. The Identity Assurance Profile values (sections 2.2), in particular, are hierarchical, i.e., qualifying for a higher level of assurance also qualifies the credential for a lower level. For example, a credential meeting the requirements of /IAP/medium also meets the requirements of /IAP/low.
When asserting a person's assurance level, the identity provider should send ALL applicable RAF values, not only the highest one. If a credential meets the requirements for /IAP/medium, the identity provider should assert /IAP/medium AND /IAP/low.
SAML Response Example
Example 1 illustrate that:
the identity management system has issued the signed in user a unique ePUID value (/ID/Unique)
the user is ID-proofed face-to-face using government-issued photo-ID (/IAP/medium)
- the user has access to mission critical enterprise systems (/IAP/local-enterprise)
the identity management system qualifies to the baseline expectations for Identity Providers
These qualifications means the identity provider should assert the following multi-valued assurance assertion:
$PREFIX$
$PREFIX$/ID/unique
$PREFIX$/IAP/local-enterprise
$PREFIX$/IAP/low
$PREFIX$/IAP/medium
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="..." Version="2.0" IssueInstant="2020-07-17T01:01:48Z" Destination="...." InResponseTo="..."> ... <saml:Assertion ...> ... <saml:AttributeStatement> <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eduPersonAssurance" x500:Encoding="LDAP"> <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance</saml:AttributeValue> <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/ID/unique</saml:AttributeValue> <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/IAP/medium</saml:AttributeValue> <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/IAP/low</saml:AttributeValue> <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/IAP/local-enterprise</saml:AttributeValue> </saml:Attribute> ... </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
See Also
Working with user data
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
Related content
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
Get help
Can't find what you are looking for?
- No labels