Versions Compared

Old Version 30

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 31

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Numbers between [ and ] are references to information further down in the page and is not part of eduPersonAssurance values.

SWAMID Identity Assurance Profile 1

A user that fulfils SWAMID Assurance Level 1 Profile should get the following values in the attribute eduPersonAssurance:

  • http://www.swamid.se/policy/assurance/al1
  • https://refeds.org/assurance [1]
  • https://refeds.org/assurance/profile/cappuccino
  • https://refeds.org/assurance/ID/unique [2]
  • https://refeds.org/assurance/ID/eppn-unique-no-reassign [3]
  • https://refeds.org/assurance/IAP/low
  • https://refeds.org/assurance/IAP/local-enterprise [4]
  • https://refeds.org/assurance/ATP/ePA-1m [5]

SWAMID Identity Assurance Profile 2

A user that fulfils SWAMID Assurance Level 2 Profile should get the following values in the attribute eduPersonAssurance:

  • http://www.swamid.se/policy/assurance/al1
  • http://www.swamid.se/policy/assurance/al2
  • https://refeds.org/assurance [1]
  • https://refeds.org/assurance/profile/cappuccino
  • https://refeds.org/assurance/ID/unique [2]
  • https://refeds.org/assurance/ID/eppn-unique-no-reassign [3]
  • https://refeds.org/assurance/IAP/low
  • https://refeds.org/assurance/IAP/medium
  • https://refeds.org/assurance/IAP/local-enterprise [4]
  • https://refeds.org/assurance/ATP/ePA-1m [5]

SWAMID Identity Assurance Profile 3

A user that fulfils SWAMID Assurance Level 3 Profile should get the following values in the attribute eduPersonAssurance:

  • http://www.swamid.se/policy/assurance/al1
  • http://www.swamid.se/policy/assurance/al2
  • http://www.swamid.se/policy/assurance/al3
  • https://refeds.org/assurance [1]
  • https://refeds.org/assurance/profile/cappuccino
  • https://refeds.org/assurance/profile/espresso
  • https://refeds.org/assurance/ID/unique [2]
  • https://refeds.org/assurance/ID/eppn-unique-no-reassign [3]
  • https://refeds.org/assurance/IAP/low
  • https://refeds.org/assurance/IAP/medium
  • https://refeds.org/assurance/IAP/high
  • https://refeds.org/assurance/IAP/local-enterprise [4]
  • https://refeds.org/assurance/ATP/ePA-1m [5]

Additional information on specific REFEDS Assurance Framework values

[1] https://refeds.org/assurance

SWAMID Assurance Profiles fulfils item 1-3 of the REFEDS Assurance Framework baseline expectations below. Item 4 is enforced by SWAMID metadata registration practices.

...

  1. The Identity Provider is operated with organizational-level authority
  2. The Identity Provider is trusted enough that it is (or it could be) used to access the organization’s own systems
  3. Generally-accepted security practices are applied to the Identity Provider
  4. Federation metadata is accurate, complete, and includes at least one of the following: support, technical, admin, or security contacts

[2] https://refeds.org/assurance/ID/unique

In section 5.2.3 of all SWAMID Identity Assurance Profiles it's defined that a user must be represented with one or more unique identifiers. This attribute value defines that released values of the identifier attributes must be unique and never reused for another user. However, the value doesn't imply that you release all identifier attributes.

...

Note also that the identifier eduPersonUniqueId is not used in SWAMID attribute release best practice as of April 2021.

[3] https://refeds.org/assurance/ID/eppn-unique-no-reassign

In section 5.2.3 of all SWAMID Identity Assurance Profiles it's defined that a user must be represented with one or more unique identifiers. This attribute value defines that the released value of the attribute eduPersonPrincipalName must be unique and never reused for another user. However, the value doesn't imply that you release the attribute.

...

  • If the Identity Provider asserts eppn-unique-no-reassign, the Relying Party knows that when it observes a given ePPN value it will always belong to the same individual.

[4] https://refeds.org/assurance/IAP/local-enterprise

In section 5.5.2 of all SWAMID Identity Assurance Profiles it's defined that the Identity Provider must have an availability that allows the Member Organisation to use it for internal systems. Internal system is not only systems installed within the organisation but also systems like Ladok, Antagning.se, NAIS and Sunet contracted services such as Sunet E-meeting, Sunet LMS, Sunet Drive and eduSIGN.

[5] https://refeds.org/assurance/ATP/ePA-1m

There is no definition about freshness of affiliation in SWAMID Identity Assurance Profiles. However, the definition of attribute freshness as defined in REFEDS Assurance Framework follows by good identity management practices.

...