Versions Compared

Old Version 2

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 3

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

All by SWAMID approved assurance levels for an Identity Provider are defined in the SAML metadata as a SAML extended attribute urnattribute urn:oasis:names:tc:SAML:attribute:assurance-certification.  The assurance certfication attribute in metadata defines what assurance profiles the Identity Provider and it's home organisation is approved for.

The Identity Provider uses the attribute eduPersonAssurance to assert the logged in user's assurance profle. Please observe that the Identity Provider must not indicate any other assurance profile than it's approved for. Signaling the user's assurance profile via the attribute eduPersonAssurance means that the user verfication fulfills all parts of the asserted assurance profile.

  • An Identity Provider that has an assurance certfication i metadata for SWAMID AL2 (http://www.swamid.se/policy/assurance/al2) is allowed to assert that a user is approved for SWAMID AL2 or SWAMID AL1.
  • An Identity Provider that has an assurance certfication i metadata for SWAMID AL1 (http://www.swamid.se/policy/assurance/al1) is allowed to assert that a user is approved for SWAMID AL1.
  • An Identity Provider that has noassurance certfication i metadata is not allowed to assert that a user are approved for a SWAMID assurance profile.

To check a user's assurance profile you need to check that the Identity Provider is approved for the same assurance profile as it has asserted for the user. To do this you need to activate extendend functionality in the Shibboleth Service Provider. This exenstion is available since version 2.2.

Activate Metadata Attribute Extraction for Identity Provider metadata

To get the approved assurance profiles from metadata you need to activate the Metadata Attribute Extraction extension i Shibboleth SP. This is done the ApplicationDefaults tag in Shibboleth2.xml by adding metadataAttributePrefix="Shib-Meta-" after REMOTE_USER="...", se example below.

Code Block
titleExample ApplicationDefaults in shibboleth2.xml
<ApplicationDefaults
    id="default" policyId="default"
    entityID="default"
    REMOTE_USER="eppn persistent-id targeted-id"
    metadataAttributePrefix="Shib-Meta-"
    signing="false" encryption="false">

Define metadata assurance certifcation attribute

Next step is to make approved assurance levels available in the application. This is done atribute-map.xml the same way as normal Identity Provider asserted attributes.

Code Block
titleDefinition of metadata assurance certification attribute in attribute-map.xml
<Attribute name="urn:oasis:names:tc:SAML:attribute:assurance-certification" id="Assurance-Certification"/>