| Both sides previous revision Previous revision Next revision | Previous revisionLast revisionBoth sides next revision |
| en:aai:assurance [2022/12/16 17:05] – [Roadmap for the Transition Process] Wolfgang Pempe | en:aai:assurance [2023/01/12 19:20] – Wolfgang Pempe |
|---|
| ====== Identity Assurance ====== | ====== Identity Assurance ====== |
| <callout type="danger" title="Changes in Federation Metadata from 20 May 2022!"> | |
| In the course of the introduction of the REFEDS Assurance Framework, metadata aggregates separated according to Degrees of Reliance will no longer be available in the DFN-AAI from 20 May 2022. The distinction as to which Degree of Reliance an identity provider is assigned to will in future only be available via this entity attribute in the metadata: [[en:entity_attributes#degrees_of_reliance_of_idps|http://aai.dfn.de/loa/degree-of-reliance]]. | |
| |
| **The most important changes:** | |
| |
| The metadata aggregates dfn-aai-metadata.xml and dfn-aai-basic-metadata.xml will no longer be delivered as of 20.5.2022! | |
| |
| **Identity Providers** must import the metadata of the Service Providers of the DFN-AAI Productive Federation via this metadata URL: | |
| |
| http://www.aai.dfn.de/metadata/dfn-aai-sp-metadata.xml resp. | |
| https://www.aai.dfn.de/metadata/dfn-aai-sp-metadata.xml \\ | |
| ''(EntitiesDescriptor/@Name="https://www.aai.dfn.de/DFN-AAI-sp")'' | |
| |
| See [[en:metadata|Metadata]] and [[en:production#idp_example|the configuration examples at Production Environment]]. | |
| |
| **Service Providers** must import the metadata of the identity providers of the DFN-AAI productive federation via this metadata URL: | |
| |
| https://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml \\ | |
| (EntitiesDescriptor/@Name="https://www.aai.dfn.de/DFN-AAI-idp") | |
| |
| See [[en:metadata|Metadata]] and [[en:production#sp_example|the configuration examples at Production Environment]]. | |
| |
| All other metadata aggregates distributed by the DFN-AAI (eduGAIN, test federation, local metadata) remain unaffected by this measure. | |
| However, we recommend to use the (future-proof) URL variants without '/fileadmin', cf. the recommended URLs at [[en:metadata|Metadata]]. | |
| |
| If you have any questions, please contact the DFN-AAI Team: hotline@aai.dfn.de | |
| |
| </callout> | |
| ===== Levels of Assurance and the REFEDS Assurance Framework ===== | ===== Levels of Assurance and the REFEDS Assurance Framework ===== |
| |
| **The reliability of digital identities is an essential factor in the trust fabric of an identity federation like DFN-AAI.** | **The reliability of digital identities is an essential factor in the trust fabric of an identity federation like DFN-AAI.** |
| |
| The concept of the so-called [[en:degrees_of_reliance|Degrees of Reliance]] used in DFN-AAI since 2009 models the different trust levels or Degrees //Test//, //Basic// and //Advanced// via different [[en:metadata|metadata sets]]. Service providers perform a risk assessment and, depending on the protection requirements of the resources in question, configure the respective service provider in such a way that only metadata containing the identity providers of the selected Degree of Reliance are imported. This ensures at the technical level that interaction takes place exclusively with identity providers with whom there exists a basic trust relationship. | The [[https://refeds.org/assurance|REFEDS Assurance Framework]] defines how identity assurance information can be transported via values of the [[de:common_attributes#a14|eduPersonAssurance]] attribute. It enables service providers to address particularly relevant reliability criteria separately (if necessary), depending on individual protection requirements. As a internationally recognized standard, the [[https://refeds.org/assurance|REFEDS Assurance Framework]] is a key factor for the connectivity of the DFN-AAI in the international context. This particularly concerns the support of research communities that depend on cross-federation collaboration via [[https://wiki.geant.org/display/eduGAIN/|eduGAIN]]. |
| | |
| The imprecise and internationally incompatible concept of Degrees of Reliance will be replaced in the course of 2022 by the [[https://refeds.org/assurance|REFEDS Assurance Framework]], which covers more criteria than the existing Degrees of Reliance. By transporting identity assurance information via values of the [[de:common_attributes#a14|eduPersonAssurance]] attribute, the REFEDS Assurance Framework enables service providers to address particularly relevant reliability criteria separately (if necessary), depending on individual protection requirements, without having to demand an abstract, opaque set of criteria in the form of a Degree of Reliance. Another motivation for the change is the effort to maintain the connectivity of the DFN-AAI in the international context by implementing an internationally recognized standard. This particularly concerns the support of research communities that depend on cross-federation collaboration via [[https://wiki.geant.org/display/eduGAIN/|eduGAIN]]. | |
| |
| A more detailed presentation (in German) of the facts can be found in [[https://www2.dfn.de/fileadmin/5Presse/DFNMitteilungen/DFN_Mitteilungen_100.pdf|DFN-Mitteilungen Nr. 100]] starting on page 42. | A more detailed presentation (in German) of the facts can be found in [[https://www2.dfn.de/fileadmin/5Presse/DFNMitteilungen/DFN_Mitteilungen_100.pdf|DFN-Mitteilungen Nr. 100]] starting on page 42. |