Versions Compared

Old Version 32

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 33

changes.mady.by.user Fredrik Domeij

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

SWAMID Assurance Profiles

SWAMID has two defined has three defined levels of assurance, SWAMID AL1 (http://www.swamid.se/policy/assurance/al1) and , SWAMID AL2 (http://www.swamid.se/policy/assurance/al2) and SWAMID AL3 (http://www.swamid.se/policy/assurance/al3).

All by SWAMID approved assurance levels for an Identity Provider are defined in the SAML metadata as a SAML extended attribute urn:oasis:names:tc:SAML:attribute:assurance-certification. The assurance certfication attribute in metadata defines what assurance profiles the Identity Provider and it's home organisation has been approved for or has declared that ther fulfill.

...

  • An Identity Provider that has an assurance certfication in metadata for SWAMID AL3 (http://www.swamid.se/policy/assurance/al3is allowed to assert that a user is approved for SWAMID AL3.
  • An Identity Provider that has an assurance certfication in metadata for SWAMID AL2 (http://www.swamid.se/policy/assurance/al2is allowed to assert that a user is approved for SWAMID AL2.
  • An Identity Provider that has an assurance certfication in metadata for SWAMID AL1 (http://www.swamid.se/policy/assurance/al1is allowed to assert that a user is approved for SWAMID AL1.
  • An Identity Provider that has no assurance certfication in metadata is not allowed to assert that a user is approved for a SWAMID assurance profile.

...

If the web application need to check if a user is approved for an SWAMID Assurance Profile the application needs to check approved assurance profiles for both the user and the used Indentity Identity Provider as described in the bullit bullet list in this document.

Please note that this approach only checks that the Identity Provider and the user fulfills the checked assurance profile. To check that the credentials used to log in fulfills the assurance profile is more advanced and needs more configuration of both Service Provider and Identity Provider.

...

To get the approved assurance profiles from metadata you need to activate the Metadata Attribute Extraction extension in Shibboleth SP. This is done by extending the ApplicationDefaults tag in Shibboleth2shibboleth2.xml by adding metadataAttributePrefix="Meta-" after REMOTE_USER="...", see example. This is a standard example in the file example-shibboleth2.xml in later versions of Shibboleth SP. It is also included in the SWAMID Configure Shibboleth SP - SWAMID-shibboleth2.xml

...

After the activation of Metadata Attribute Extension and the attribute definition all Identity Provider approved assurance profiles are available in the multi-valued attribute Meta-Assurance-Certification.