SWAMID has two defined levels of assurance, SWAMID AL1 (http://www.swamid.se/policy/assurance/al1) and SWAMID AL2 (http://www.swamid.se/policy/assurance/al2).
All by SWAMID approved assurance levels for an Identity Provider are defined in the SAML metadata as a SAML extended attribute urn:oasis:names:tc:SAML:attribute:assurance-certification. The assurance certfication attribute in metadata defines what assurance profiles the Identity Provider and it's home organisation is approved for.
...
To check a user's assurance profile you need to check that the Identity Provider is approved for the same assurance profile as it has asserted for the user. To do this you need to activate extendend functionality in the Shibboleth Service Provider. This exenstion extension is available since version 2.2.
...
To get the approved assurance profiles from metadata you need to activate the Metadata Attribute Extraction extension in Shibboleth SP. This is done by extending the ApplicationDefaults tag in Shibboleth2.xml by adding metadataAttributePrefix="Meta-" after REMOTE_USER="...", se examplesee example. This is a standard example in the file example-shibboleth2.xml in later versions of Shibboleth SP.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<ApplicationDefaults
entityID="https://example.com/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id"
metadataAttributePrefix="Meta-"> |
| Info | ||
|---|---|---|
| ||
| Please note that you may get to many headers after activating this extension. If you do please remove all by your application unused attributes från attribute-map.xml. |
Define metadata assurance certification attribute
...
Please note that this approach only checks that the Identity Provider and the user fulfills the checked assurance profile. To check that the credentials used to log in fulfills the assurance profile is more advanced and needs more configuration of both Service Provider and Identity Provider.