SP Assurance Policy Use Cases

DRAFT

UC0: SP Requires Silver

The SP requires InCommon Silver LOA.

It includes http://id.incommon.org/assurance/silver in the SAML AuthnRequest element. It rejects assertions from IdPs that do not contain http://id.incommon.org/assurance/silver in the AuthnContext, and it rejects assertions from IdPs without http://id.incommon.org/assurance/silver in their InCommon metadata.

Examples:

• NIH SPs?

UC1: SP Requires Bronze

The SP requires InCommon Bronze LOA (or higher).

It includes http://id.incommon.org/assurance/silver and http://id.incommon.org/assurance/bronze in the SAML AuthnRequest element. It accepts only:

• Assertions that contain http://id.incommon.org/assurance/silver in the AuthnContext from IdPs with http://id.incommon.org/assurance/silver in their InCommon metadata, or
• Assertions that contain http://id.incommon.org/assurance/bronze in the AuthnContext from IdPs with http://id.incommon.org/assurance/bronze in their InCommon metadata

Examples:

• ???

UC2: SP Prefers Silver

The SP must operate in a world where not all IdPs can yet provide Silver LOA assertions, and Silver-capable IdPs can't provide Silver assertions for all users/circumstances. In cases where lower LOA assertions are used, the SP restricts access/functionality and/or implements other compensating controls. The SP wants to get Silver assertions whenever possible. The SP can determine which IdPs are Silver-capable from metadata.

For IdPs that are not Silver-capable according to metadata, the SP does not include an IAQ in the SAML AuthnRequest element, and the SP applies compensating controls for the resulting lower LOA.

For IdPs that are Silver-capable according to metadata, the SP includes http://id.incommon.org/assurance/silver and http://id.incommon.org/assurance/bronze and urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified and urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport in the SAML AuthnRequest element. It accepts at Silver LOA assertions that contain http://id.incommon.org/assurance/silver in the AuthnContext from IdPs with http://id.incommon.org/assurance/silver in their InCommon metadata. The SP applies compensating controls for all other assertions (considered to be lower LOA). The SP handles errors from the IdP (i.e., opensaml::FatalProfileException) by making a new request without a AuthnRequest element, in case the IdP is not able to handle the AuthnRequest element.

Examples:

• CILogon

UC3: SP Prefers Bronze

...

Examples:

• Research.Gov