Identity Assurance

Changes in Federation Metadata from 20 May 2022!

In the course of the introduction of the REFEDS Assurance Framework, metadata aggregates separated according to Degrees of Reliance will no longer be available in the DFN-AAI from 20 May 2022. The distinction as to which Degree of Reliance an identity provider is assigned to will in future only be available via this entity attribute in the metadata: http://aai.dfn.de/loa/degree-of-reliance.

The most important changes:

The metadata aggregates dfn-aai-metadata.xml and dfn-aai-basic-metadata.xml will no longer be delivered as of 20.5.2022!

Identity Providers must import the metadata of the Service Providers of the DFN-AAI Productive Federation via this metadata URL:

http://www.aai.dfn.de/metadata/dfn-aai-sp-metadata.xml resp. https://www.aai.dfn.de/metadata/dfn-aai-sp-metadata.xml
(EntitiesDescriptor/@Name=“https://www.aai.dfn.de/DFN-AAI-sp”)

See Metadata and the configuration examples at Production Environment.

Service Providers must import the metadata of the identity providers of the DFN-AAI productive federation via this metadata URL:

https://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml
(EntitiesDescriptor/@Name=“https://www.aai.dfn.de/DFN-AAI-idp”)

See Metadata and the configuration examples at Production Environment.

All other metadata aggregates distributed by the DFN-AAI (eduGAIN, test federation, local metadata) remain unaffected by this measure. However, we recommend to use the (future-proof) URL variants without '/fileadmin', cf. the recommended URLs at Metadata.

If you have any questions, please contact the DFN-AAI Team: hotline@aai.dfn.de

The reliability of digital identities is an essential factor in the trust fabric of an identity federation like DFN-AAI.

The concept of the so-called Degrees of Reliance used in DFN-AAI since 2009 models the different trust levels or Degrees Test, Basic and Advanced via different metadata sets. Service providers perform a risk assessment and, depending on the protection requirements of the resources in question, configure the respective service provider in such a way that only metadata containing the identity providers of the selected Degree of Reliance are imported. This ensures at the technical level that interaction takes place exclusively with identity providers with whom there exists a basic trust relationship.

The imprecise and internationally incompatible concept of Degrees of Reliance will be replaced in the course of 2022 by the REFEDS Assurance Framework, which covers more criteria than the existing Degrees of Reliance. By transporting identity assurance information via values of the eduPersonAssurance attribute, the REFEDS Assurance Framework enables service providers to address particularly relevant reliability criteria separately (if necessary), depending on individual protection requirements, without having to demand an abstract, opaque set of criteria in the form of a Degree of Reliance. Another motivation for the change is the effort to maintain the connectivity of the DFN-AAI in the international context by implementing an internationally recognized standard. This particularly concerns the support of research communities that depend on cross-federation collaboration via eduGAIN.

A more detailed presentation (in German) of the facts can be found in DFN-Mitteilungen Nr. 100 starting on page 42.

  • February 2022: Workshop(s) on the technical implementation of the REFEDS Assurance Frameworks - dates to be announced soon.
  • May, 20th end of April 2022, the separate metadata sets for the Degrees of Reliance Advanced and Basic will be abolished. For the productive environment of the DFN-AAI, only two metadata files will then be available, each containing the metadata of all productive IdPs and SPs. The metadata administration tool of the DFN-AAI will continue to support the two Degrees Advanced and Basic. However, the IdP-side conformance to a Degree of Reliance and the related requirements of a Service Provider will then only be available via the corresponding Entity Attributes in the IdP and SP metadata. This type of labeling has already been implemented for some time.
  • At the end of 2022, support for the Degrees of Reliance on the part of the DFN-AAI metadata registry and metadata administration tool will be discontinued. As of January 2023, information on the reliability of digital identities in the DFN-AAI will be transported exclusively via the mechanisms of the REFEDS Assurance Framework..
  • Last modified: 4 months ago