You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

DRAFT

UC0: SP Requires Silver

The SP requires InCommon Silver LOA.

The SP includes http://id.incommon.org/assurance/silver in the SAML AuthnRequest element. It accepts assertions that contain http://id.incommon.org/assurance/silver in the AuthnContext from IdPs with http://id.incommon.org/assurance/silver in InCommon metadata, that is, the SP explicitly verifies that the assertion contains http://id.incommon.org/assurance/silver in the AuthnContext and that InCommon metadata contains http://id.incommon.org/assurance/silver for the issuing IdP.

The SP may choose to short-circuit a request to an IdP with no http://id.incommon.org/assurance/silver in InCommon metadata or provide a discovery interface that lists only IdPs with http://id.incommon.org/assurance/silver in InCommon metadata.

As usual, the SP should intelligently handle errors. In particular, the SP should be prepared to handle the case that not all users at a particular IdP may be eligible for Silver LOA (for example, users not vetted at the Silver LOA), so even if the IdP is tagged with http://id.incommon.org/assurance/silver in InCommon metadata, authentication for some users may result in a "FatalProfileException".

Examples:

  • NIH SPs?

UC1: SP Requires Bronze

The SP requires InCommon Bronze LOA (or higher).

The SP includes http://id.incommon.org/assurance/silver and http://id.incommon.org/assurance/bronze in the SAML AuthnRequest element. It accepts either:

As usual, the SP should intelligently handle errors. In particular, the SP should be prepared to handle the case that not all users at a particular IdP may be eligible for Silver or Bronze LOA (for example, users not vetted at the Silver LOA or passwords too weak for Bronze LOA), so even if the IdP is tagged with http://id.incommon.org/assurance/silver or http://id.incommon.org/assurance/bronze in InCommon metadata, authentication for some users may result in a "FatalProfileException".

Examples:

  • The InCommon Federation Manager (FM)
  • The InCommon Certificate Manager (CM)

The FM and the CM recognize Bronze password credentials as the first factor of a two-factor authentication. The InCommon Operations Identity Provider is authoritative for the second "what you have" factor.

UC2: SP Prefers Silver

The SP must operate in a world where not all IdPs can yet provide Silver LOA assertions, and Silver-capable IdPs can't provide Silver assertions for all users/circumstances. In cases where lower LOA assertions are used, the SP restricts access/functionality and/or implements other compensating controls. The SP wants to get Silver assertions whenever possible. The SP can determine which IdPs are Silver-capable from metadata.

For IdPs that are not Silver-capable according to metadata, the SP does not include an IAQ in the SAML AuthnRequest element, and the SP applies compensating controls for the resulting lower LOA.

For IdPs that are Silver-capable according to metadata, the SP includes http://id.incommon.org/assurance/silver and urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified in the SAML AuthnRequest element. It accepts at Silver LOA assertions that contain http://id.incommon.org/assurance/silver in the AuthnContext from IdPs with http://id.incommon.org/assurance/silver in their InCommon metadata. The SP applies compensating controls for all other assertions (considered to be lower LOA). The SP handles errors from the IdP (i.e., opensaml::FatalProfileException) by making a new request without a AuthnRequest element, in case the IdP is not able to handle the AuthnRequest element, resulting in a lower LOA authentication. Ideally the user will not be prompted to authenticate a second time for this second request by the SP, i.e., the IdP has set a cookie in the user's browser.

Alternatively, the SP may include only http://id.incommon.org/assurance/silver in the SAML AuthnRequest element, and if the SP returns an error (i.e., opensaml::FatalProfileException), possibly indicating the particular user is not Silver qualified, the SP makes a new request without a AuthnRequest element, resulting in a lower LOA authentication. Again, ideally the user will not be prompted to authenticate a second time for this second request by the SP, i.e., the IdP has set a cookie in the user's browser.

Examples:

  • CILogon

UC3: SP Prefers Bronze

...

Examples:

  • Research.Gov
  • No labels