Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
en:aai:assurance_sp [2021/12/29 14:25] – [Metadata] Wolfgang Pempe | en:aai:assurance_sp [2022/05/03 16:39] – [Metadata] Wolfgang Pempe |
---|
====== REFEDS Assurance Framework - Service Provider ====== | ====== REFEDS Assurance Framework - Service Provider ====== |
([[en:aai:assurance|general information on identity assurance]]) | ([[en:aai:assurance|general information on identity assurance]]) |
| |
<callout type="danger" title="Work in Progress"> | |
This page is still under construction! | |
</callout> | |
| |
===== First Steps and Requirements ===== | ===== First Steps and Requirements ===== |
| |
==== Metadata ==== | ==== Metadata ==== |
* According to the [[en:aai:assurance#roadmap_for_the_changeover|roadmap]], there will no longer be metadata files separated by Degrees of Reliance as of 1.4.2022. The [[en:metadata|metadata]] of all productive Identity Providers in DFN-AAI is available at https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-idp-metadata.xml. The examples under [[en:production|productive operations]] have already been mofified accordingly. Until the end of 2022, differentiation based on an [[en:entity_attributes#degrees_of_reliance_of_idps|Entity Attribute]] is still possible. An example of a corresponding metadata filter can be found on the [[en:aai:mdq#filter_idps_from_dfn-aai_advanced|MDQ documentation page]]. | * According to the [[en:aai:assurance#roadmap_for_the_changeover|roadmap]], there will no longer be metadata files separated by Degrees of Reliance as of May 20th, 2022. The [[en:metadata|metadata]] of all productive Identity Providers in DFN-AAI is available at https://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml. The examples under [[en:production|productive operations]] have already been mofified accordingly. Until the end of 2022, differentiation based on an [[en:entity_attributes#degrees_of_reliance_of_idps|Entity Attribute]] is still possible. Examples of a corresponding metadata filter can be found on the [[en:aai:mdq#filter_idps_from_dfn-aai_advanced|MDQ documentation]] and [[en:production#sp_example|Production Environment]] pages. |
* In order to signal that the Service Provider requires and processes assurance information transported via the [[de:common_attributes#a14|eduPersonAssurance]] attribute, the ''eduPersonAssurance'' attribute should be declared as ''isRequired=true'' in the metadata administration tool under Attributes Consuming Service. | * In order to signal that the Service Provider requires and processes assurance information transported via the [[de:common_attributes#a14|eduPersonAssurance]] attribute, the ''eduPersonAssurance'' attribute should be declared as ''isRequired=true'' in the metadata administration tool under Attributes Consuming Service. |
==== Apache Access Rules ==== | ==== Apache Access Rules ==== |
| In this example, access to the resources protected by the SP is granted to persons whose digital identity meets the conditions for $PREFIX$/IAP/medium and $PREFIX$/ATP/ePA-1m. This corresponds very roughly to the [[en:degrees_of_reliance|Degree of Reliance 'Advanced']]. |
| |
| <file apache /etc/apache2/sites-enabled/sp.uni-beispiel.de.conf> |
| <Location /protected> |
| AuthType shibboleth |
| ShibRequestSetting requireSession true |
| <RequireAll> |
| Require shib-attr assurance https://refeds.org/assurance/IAP/medium |
| Require shib-attr assurance https://refeds.org/assurance/ATP/ePA-1m |
| </RequireAll> |
| </Location> |
| </file> |
| |
The following example assumes that only staff members (''staff'') of certain institutions, for whom $PREFIX$/ID/unique, $PREFIX$/IAP/medium und $PREFIX$/ATP/ePA-1m are met, are to be granted access to the resource protected by the service provider. The list of access-authorized identity providers or home institutions is defined via a [[de:shibsp#filtermechanismen|metadata filter]]. \\ | The following example assumes that only staff members (''staff'') of certain institutions, for whom $PREFIX$/ID/unique, $PREFIX$/IAP/medium und $PREFIX$/ATP/ePA-1m are met, are to be granted access to the resource protected by the service provider. The list of access-authorized identity providers or home institutions is defined via a [[de:shibsp#filtermechanismen|metadata filter]]. \\ |
</file> | </file> |
| |
==== Literature ==== | **XML Access Control:** For more ways to configure access control using the Shibboleth SP, please refer to [[https://www.switch.ch/aai/guides/sp/access-rules|the documentation provided by SWITCH]] |
| |
| ==== Further Reading ==== |
* [[https://doi.org/10.5281/zenodo.3627594|Comparison Guide to Identity Assurance Mappings for Infrastructures]] | * [[https://doi.org/10.5281/zenodo.3627594|Comparison Guide to Identity Assurance Mappings for Infrastructures]] |
* [[https://doi.org/10.5281/zenodo.4916049|Making Identity Assurance and Authentication Strength Work for Federated Infrastructures]] | * [[https://doi.org/10.5281/zenodo.4916049|Making Identity Assurance and Authentication Strength Work for Federated Infrastructures]] |
| |
{{tag>assurance}} | {{tag>assurance}} |