Versions Compared

Old Version 4

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 5

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A user that fulfils SWAMID Assurance Level 1 Profile should get the following values in the attribute eduPersonAssurance:

  • http://www.swamid.se/policy/assurance/al1
  • https://refeds.org/assurance
  • https://refeds.org/assurance/profile/cappuccino
  • https://refeds.org/assurance/ID/unique [1]
  • https://refeds.org/assurance/ID/eppn-unique-no-reassign [2]
  • https://refeds.org/assurance/IAP/low
  • https://refeds.org/assurance/IAP/local-enterprise [3]
  • https://refeds.org/assurance/ATP/ePA-1m [4]

...

A user that fulfils SWAMID Assurance Level 3 Profile should get the following values in the attribute eduPersonAssurance:

  • http://www.swamid.se/policy/assurance/al1
  • http://www.swamid.se/policy/assurance/al2
  • https://refeds.org/assurance
  • https://refeds.org/assurance/profile/cappuccino
  • https://refeds.org/assurance/ID/unique [1]
  • https://refeds.org/assurance/ID/eppn-unique-no-reassign [2]
  • https://refeds.org/assurance/IAP/low
  • https://refeds.org/assurance/IAP/medium
  • https://refeds.org/assurance/IAP/local-enterprise [3]
  • https://refeds.org/assurance/ATP/ePA-1m [4]

...

A user that fulfils SWAMID Assurance Level 3 Profile should get the following values in the attribute eduPersonAssurance:

  • http://www.swamid.se/policy/assurance/al1
  • http://www.swamid.se/policy/assurance/al2
  • http://www.swamid.se/policy/assurance/al3
  • https://refeds.org/assurance
  • https://refeds.org/assurance/profile/cappuccino
  • https://refeds.org/assurance/profile/espresso
  • https://refeds.org/assurance/ID/unique [1]
  • https://refeds.org/assurance/ID/eppn-unique-no-reassign [2]
  • https://refeds.org/assurance/IAP/low
  • https://refeds.org/assurance/IAP/medium
  • https://refeds.org/assurance/IAP/high
  • https://refeds.org/assurance/IAP/local-enterprise [3]
  • https://refeds.org/assurance/ATP/ePA-1m [4]

...

In section 5.2.3 of all SWAMID Identity Assurance Profiles it's defined that a user must be represented with one or more unique identifiers. This attribute value defines that released values of the attributes eduPersonUniqueId, subject-id and pairwise-id identifier attributes must be unique and never reused for another user. However, the value doesn't imply that you release any of the three all identifier attributes.

The identifier MUST have the following four properties:

  • (Unique-1) The user identifier represents a single natural person;
  • (Unique-2) The CSP can contact the person to whom the identifier is issued;
  • (Unique-3) The user identifier is never re-assigned; and
  • (Unique-4) The user identifier is eduPersonUniqueId [eduPerson], SAML 2.0 persistent name identifier [OASIS SAML], , SAML V2.0 Subject Identifier Attribute subject-id or SAML V2.0 Subject Identifier Attribute pairwise-id [OASIS SIA] or OpenID Connect sub (type: public or pairwise).

[2] https://refeds.org/assurance/ID/eppn-unique-no-reassign

...

In section 5.5.2 of all SWAMID Identity Assurance Profiles it's defined that the Identity Provider must have an availability that allows the Member Organisation to use it for internal systems.

[4] https://refeds.org/assurance/ATP/ePA-1m

There is no text about freshness of affiliation in SWAMID Identity Assurance Profiles. However, the definition of attribute freshness as defned in REFEDS Assurance Framework follows by good identity management practices.

This attribute value signals that the values of the attributes eduPersonAffiliation and eduPersonScopedAffliation changes within one month of from the departure of the organisation or change of organisational roles , (i.e., if an employee no longer as is defined as an employee or a student is no longer a student). In REFEDS Assurance Framework it's defined that “a departure” from an organisation takes place when the organisation decides that the user doesn’t have a continuing basis for the affiliation value and therefore loses their organisational role and privileges (i.e., can no longer speak for the organisation in that role).

The organisational business practices here may vary; for instance

  • In some organisations a researcher loses their organisational role and privileges the day their employment or other contract ends, in some organisations there is a defined grace period

  • In some universities a student loses their organisational role and privileges the day they graduate, in some organisations the student role and privileges remain effective until the end of the semester

REFEDS Assurance Framework imposes no particular requirements on the organisational business practices regarding when the departure takes place. This value is intended to indicate only the maximum latency for the CSP’s identity management system to reflect the departure in the user’s attributes.

Notice also that this section does not require that the departing user’s account must be closed; only that the affiliation attribute value as observed by the Service Provider is updated.