Identity Assurance

The reliability of digital identities is an essential factor in the trust fabric of an identity federation like DFN-AAI.

The concept of the so-called Degrees of Reliance used in DFN-AAI since 2009 models the different trust levels or Degrees Test, Basic and Advanced via different metadata sets. Service providers perform a risk assessment and, depending on the protection requirements of the resources in question, configure the respective service provider in such a way that only metadata containing the identity providers of the selected Degree of Reliance are imported. This ensures at the technical level that interaction takes place exclusively with identity providers with whom there exists a basic trust relationship.

The imprecise and internationally incompatible concept of Degrees of Reliance will be replaced in the course of 2022 by the REFEDS Assurance Framework, which covers more criteria than the existing Degrees of Reliance. By transporting identity assurance information via values of the eduPersonAssurance attribute, the REFEDS Assurance Framework enables service providers to address particularly relevant reliability criteria separately (if necessary), depending on individual protection requirements, without having to demand an abstract, opaque set of criteria in the form of a Degree of Reliance. Another motivation for the change is the effort to maintain the connectivity of the DFN-AAI in the international context by implementing an internationally recognized standard. This particularly concerns the support of research communities that depend on cross-federation collaboration via eduGAIN.

A more detailed presentation (in German) of the facts can be found in DFN-Mitteilungen Nr. 100 starting on page 42.

  • February 2022: Workshop(s) on the technical implementation of the REFEDS Assurance Frameworks - dates to be announced soon.
  • At the end of March 2022, the separate metadata sets for the Degrees of Reliance Advanced and Basic will be abolished. For the productive environment of the DFN-AAI, only two metadata files will then be available, each containing the metadata of all productive IdPs and SPs. The metadata administration tool of the DFN-AAI will continue to support the two Degrees Advanced and Basic. However, the IdP-side conformance to a Degree of Reliance and the related requirements of a Service Provider will then only be available via the corresponding Entity Attributes in the IdP and SP metadata. This type of labeling has already been implemented for some time.
  • At the end of 2022, support for the Degrees of Reliance on the part of the DFN-AAI metadata registry and metadata administration tool will be discontinued. As of January 2023, information on the reliability of digital identities in the DFN-AAI will be transported exclusively via the mechanisms of the REFEDS Assurance Framework..
  • Last modified: 3 weeks ago