DRAFT
UC0: SP Requires Silver
The SP requires InCommon Silver LOA.
It includes http://id.incommon.org/assurance/silver in the SAML AuthnRequest element. It rejects assertions from IdPs that do not contain http://id.incommon.org/assurance/silver in the AuthnContext, and it rejects assertions from IdPs without http://id.incommon.org/assurance/silver in their InCommon metadata.
Examples:
- NIH SPs?
UC1: SP Requires Bronze
The SP requires InCommon Bronze LOA (or higher).
It includes http://id.incommon.org/assurance/silver and http://id.incommon.org/assurance/bronze in the SAML AuthnRequest element. It accepts only:
- Assertions that contain http://id.incommon.org/assurance/silver in the AuthnContext from IdPs with http://id.incommon.org/assurance/silver in their InCommon metadata, or
- Assertions that contain http://id.incommon.org/assurance/bronze in the AuthnContext from IdPs with http://id.incommon.org/assurance/bronze in their InCommon metadata
Examples:
- ???
UC2: SP Prefers Silver
The SP must operate in a world where not all IdPs can yet provide Silver LOA assertions, and Silver-capable IdPs can't provide Silver assertions for all users/circumstances. In cases where lower LOA assertions are used, the SP restricts access/functionality and/or implements other compensating controls. The SP wants to get Silver assertions whenever possible. The SP can determine which IdPs are Silver-capable from metadata.
For IdPs that are not Silver-capable according to metadata, the SP does not include an IAQ in the SAML AuthnRequest element. For IdPs that are Silver-capable according to metadata, the SP includes http://id.incommon.org/assurance/silver and http://id.incommon.org/assurance/bronze and http://id.incommon.org/assurance/none in the in the SAML AuthnRequest element. It accepts at Silver LOA assertions that contain http://id.incommon.org/assurance/silver in the AuthnContext from IdPs with http://id.incommon.org/assurance/silver in their InCommon metadata. The SP applies compensating controls for all other assertions (considered to be lower LOA).
Note: http://id.incommon.org/assurance/none is just a straw-man proposal.
Examples:
- CILogon
Variation:
The SP is willing to accept transitional qualifiers (or Silver-uncertified qualifiers) from IdPs who intend to be fully certified within 12 months. The SP would prefer Silver but accepts Silver-uncertified.
For IdPs that are not capable of passing either Silver or Silver-certified according to metadata, the SP does not include an IAQ in the SAML AuthnRequest element. For IdPs that are capable of either Silver or Silver-uncertified according to metadata, the SP includes the appropriate request (for either http://id.incommon.org/assurance/silver OR http://id.incommon.org/assurance/silver-uncertified in the in the SAML AuthnRequest element. It accepts at Silver LOA assertions that contain http://id.incommon.org/assurance/silver or http://id.incommon.org/assurance/silver-uncertified in the AuthnContext from IdPs with http://id.incommon.org/assurance/silver in their InCommon metadata.
UC3: SP Prefers Bronze
...
Examples:
- Research.Gov