DRAFT
Technical implementation of identity assurance requires system changes from InCommon Operations, IdPs, and SPs. This page captures lessons learned, recommended practices, and outstanding issues regarding the technical aspects of identity assurance.
Participation in the InCommon Identity Assurance Program requires the use of SAML V2.0 Web Browser SSO. IdP and SP operators should plan to upgrade to SAML V2.0 as soon as possible. |
InCommon Operations will add identity assurance qualifiers (IAQs) to published metadata following notification of certification by InCommon management. IAQs will be added to the appropriate IdP entity descriptor of the certified IdP operator (IdPO).
Participants are not obligated to enforce policies or otherwise make use of these qualifiers, but they are provided so that supporting software may be configured to make use of the information when processing assertions containing assurance qualifiers.
Proposed IAQ URIs are:
Silver: http://id.incommon.org/assurance/silver
Bronze: http://id.incommon.org/assurance/bronze
There will likely be a need for non-production IAQs for use in interoperability testing, probably with test instances of metadata:
Silver: http://id.incommon.org/assurance/silver-test
Bronze: http://id.incommon.org/assurance/bronze-test
Note that all of the above URIs will resolve to actual web pages at some point.
The following extension is the immediate child element of the IdP's <md:EntityEescriptor>
element in metadata:
<md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oasis:names:tc:SAML:attribute:assurance-certification"> <saml:AttributeValue>http://id.incommon.org/assurance/silver-test</saml:AttributeValue> <saml:AttributeValue>http://id.incommon.org/assurance/bronze-test</saml:AttributeValue> </saml:Attribute> </mdattr:EntityAttributes> </md:Extensions> |
The <mdattr:EntityAttributes>
element and the name of the SAML Attribute (urn:oasis:names:tc:SAML:attribute:assurance-certification
) are defined by the OASIS specification entitled SAML V2.0 Metadata Extension for Entity Attributes and the OASIS SAML V2.0 Identity Assurance Profiles, respectively.
A complete, working metadata sample is attached to this wiki topic. To schema validate this sample metadata, you can use XmlSecTool:
xmlsectool.sh --validateSchema \ --schemaDirectory schema-files --inFile incommon-idp-metadata.xml |
For convenience, we provide a set of (suitably modified) schema files that permit offline schema validation.
Ideally SPs that require a particular assurance level will initiate the assurance flow by including the desired IAQ in the SAML AuthnRequest element.
SPs will receive IAQs (either in response to a specific request, or sent unsolicited) in assertions from IdPs. SPs should use metadata to check that the IdP is authorized to assert the IAQs being asserting.
SPs will rely on local policy to decide how to handle incoming IAQs. For example if the SP requires InCommon Bronze but receives InCommon Silver, that is probably acceptable.
authnContextClassRef
setting to control the value requested when particular resources are accessed. To include multiple values in a request, the AuthnRequest "template" mechanism described in the SessionInitiator documentation can be used.<saml:Attribute>
elements in IdP metadata. Other approaches?
See Assurance - Identity Provider Behavior.