Overview

eduPersonAssurance delivers a set of URI's that expresses a user credential's compliance with specific standards for identity assurance. This multi-valued attribute represents identity assurance profiles (IAPs), which are the set of standards that are met by an identity assertion, based on the Identity Provider's identity management processes, the type of authentication credential used, the strength of its binding, etc. 

eduPersonAssurance is defined in the eduPerson→ LDAP object class. 

Use in the InCommon Federation

When implementing the REFEDS Assurance Framework (RAF), an identity provider communicates to a service provider  in the SAML assertion that the signed-in user meets identity proofing and credentialing assurance requirements using the eduPersonAssurance attribute.

A user may meet multiple IAP requirements defined in RAF. In these events, the identity provider should send ALL applicable RAF values.  

Applicable Values

See REFEDS Assurance Framework for specific value definitions.

The REFEDS Assurance Framework defines a range of values to signal varying levels of identity proofing and credential issuance. The Identity Assurance Profile values (sections 2.2), in particular, are hierarchical, i.e., qualifying for a higher level of assurance also qualifies the credential for a lower level. For example, a credential meeting the requirements of /IAP/medium also meets the requirements of /IAP/low.

When asserting a person's assurance level, the identity provider should send ALL applicable RAF values, not only the highest one. If a credential meets the requirements for /IAP/medium, the identity provider should assert /IAP/medium AND /IAP/low.

SAML Response Example

Example 1 illustrate that:

• the identity management system has issued the signed in user a unique ePUID value (/ID/Unique)

• the user is ID-proofed face-to-face using government-issued photo-ID (/IAP/medium)

• the user has access to mission critical enterprise systems (/IAP/local-enterprise)

• the identity management system qualifies to the baseline expectations for Identity Providers

These qualifications means the identity provider should assert the following multi-valued assurance assertion:

• $PREFIX$

• $PREFIX$/ID/unique

• $PREFIX$/IAP/local-enterprise

• $PREFIX$/IAP/low

• $PREFIX$/IAP/medium
  
  

where $prefix$ is the URI https://refeds.org/assurance

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"         
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
                ID="..." Version="2.0" IssueInstant="2020-07-17T01:01:48Z" 
                Destination="...." InResponseTo="...">
 ...
 <saml:Assertion ...>
  ...
   <saml:AttributeStatement>
    <saml:Attribute   
        xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
        Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" 
        FriendlyName="eduPersonAssurance"
        x500:Encoding="LDAP">
      <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance</saml:AttributeValue>       
      <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/ID/unique</saml:AttributeValue> 
      <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/IAP/medium</saml:AttributeValue>
      <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/IAP/low</saml:AttributeValue>
      <saml:AttributeValue xsi:type="xsd:string">https://refeds.org/assurance/IAP/local-enterprise</saml:AttributeValue>
   </saml:Attribute>
   ...
   </saml:AttributeStatement>
 </saml:Assertion>
</samlp:Response>

See Also

• eduPersonAffiliation
• eduPersonScopedAffiliation
• eduPersonEntitlement