SP Assurance Policy Use Cases

DRAFT

UC0: SP Requires Silver

The SP requires InCommon Silver LOA.

It includes http://id.incommon.org/assurance/silver in the SAML AuthnRequest element. It rejects assertions from IdPs that do not contain http://id.incommon.org/assurance/silver in the AuthnContext, and it rejects assertions from IdPs without http://id.incommon.org/assurance/silver in their InCommon metadata.

Examples:

• NIH SPs?

UC1: SP Requires Bronze

The SP requires InCommon Bronze LOA (or higher).

It includes http://id.incommon.org/assurance/silver and http://id.incommon.org/assurance/bronze in the SAML AuthnRequest element. It accepts only:

• Assertions that contain http://id.incommon.org/assurance/silver in the AuthnContext from IdPs with http://id.incommon.org/assurance/silver in their InCommon metadata, or
• Assertions that contain http://id.incommon.org/assurance/bronze in the AuthnContext from IdPs with http://id.incommon.org/assurance/bronze in their InCommon metadata

Examples:

• ???

UC2: SP Prefers Silver

The SP must operate in a world where not all IdPs can yet provide Silver LOA assertions, and Silver-capable IdPs can't provide Silver assertions for all users/circumstances. In cases where lower LOA assertions are used, the SP restricts access/functionality and/or implements other compensating controls. The SP wants to get Silver assertions whenever possible. The SP can determine which IdPs are Silver-capable from metadata.

For IdPs that are not Silver-capable according to metadata, the SP does not include an IAQ in the SAML AuthnRequest element. For IdPs that are Silver-capable according to metadata, the SP includes http://id.incommon.org/assurance/silver and http://id.incommon.org/assurance/bronze and http://id.incommon.org/assurance/none in the in the SAML AuthnRequest element. It accepts at Silver LOA assertions that contain http://id.incommon.org/assurance/silver in the AuthnContext from IdPs with http://id.incommon.org/assurance/silver in their InCommon metadata. The SP applies compensating controls for all other assertions (considered to be lower LOA).

Note: http://id.incommon.org/assurance/none is just a straw-man proposal.

Examples:

• CILogon

UC3: SP Prefers Bronze

...

Examples:

• Research.Gov?