- Created by Albert Wu (internet2.edu), last modified on May 12, 2021
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 7 Next »
Jump to:
Overview
eduPersonAssurance
delivers a set of URI's that expresses a user credential's compliance with specific standards for identity assurance. This multi-valued attribute represents identity assurance profiles (IAPs), which are the set of standards that are met by an identity assertion, based on the Identity Provider's identity management processes, the type of authentication credential used, the strength of its binding, etc.
eduPersonAssurance
is defined in the eduPerson→ LDAP object class.
Use in the InCommon Federation
When implementing the REFEDS Assurance Framework (RAF), an identity provider communicates to a service provider in the SAML assertion that the signed-in user meets identity proofing and credentialing assurance requirements using the eduPersonAssurance
attribute.
A user may meet multiple IAP requirements defined in RAF. In these events, the identity provider should send ALL applicable RAF values.
Applicable Values
See REFEDS Assurance Framework for specific value definitions.
The REFEDS Assurance Framework defines a range of values to signal varying levels of identity proofing and credential issuance. The Identity Assurance Profile values (sections 2.2), in particular, are hierarchical, i.e., qualifying for a higher level of assurance also qualifies the credential for a lower level. For example, a credential meeting the requirements of /IAP/medium
also meets the requirements of /IAP/low
.
When asserting a person's assurance level, the identity provider should send ALL applicable RAF values, not only the highest one. If a credential meets the requirements for /IAP/medium
, the identity provider should assert /IAP/medium
AND /IAP/low
.
SAML Response Example
Example 1 illustrate that:
the identity management system has issued the signed in user a unique ePUID value (/ID/Unique)
the user is ID-proofed face-to-face using government-issued photo-ID (
/IAP/medium
)- the user has access to mission critical enterprise systems (
/IAP/local-enterprise
) the identity management system qualifies to the baseline expectations for Identity Providers
These qualifications means the identity provider should assert the following multi-valued assurance assertion:
$PREFIX$
$PREFIX$/ID/unique
$PREFIX$/IAP/local-enterprise
$PREFIX$/IAP/low
$PREFIX$/IAP/medium
where $prefix$
is the URI https://refeds.org/assurance
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="..." Version="2.0" IssueInstant="2020-07-17T01:01:48Z" Destination="...." InResponseTo="..."> ... <saml:Assertion ...> ... <saml:AttributeStatement> <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eduPersonAssurance" x500:Encoding="LDAP"> <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance</saml:AttributeValue> <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/ID/unique</saml:AttributeValue> <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/IAP/medium</saml:AttributeValue> <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/IAP/low</saml:AttributeValue> <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/IAP/local-enterprise</saml:AttributeValue> </saml:Attribute> ... </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
See Also
Working with user data
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
Related content
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
Get help
Can't find what you are looking for?
- No labels