This is an old revision of the document!
REFEDS Assurance Framework - Service Provider
(general information on identity assurance)
Work in Progress
This page is still under construction!First Steps and Requirements
Please read the specification!
If you have any questions, please contact the DFN-AAI Team.
Please perform a protection needs assessment for the resources protected by the service provider. On this basis, you decide which criteria of the REFEDS Assurance Framework are relevant for the respective Service Provider and on the basis of which values of the eduPersonAssurance attribute the authorization decision has to be made (for which also other factors are usually decisive).
Configuration Examples
Important Notes:
- The following configuration examples refer exclusively to Shibboleth Service Provider version 3.2.x
- These examples are intended as suggestions and should under no circumstances be adopted via copy + paste without reflection!
Metadata
- Laut Roadmap wird es ab 1.4.2022 keine nach Verlässlichkeitsklassen getrennten Metadatendateien mehr geben. Die Metadaten aller produktiven Identity Provider in der DFN-AAI sind unter https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-idp-metadata.xml verfügbar. Die Beispiele unter Produktivbetrieb sind bereits entsprechend angepasst. Bis Jahresende 2022 ist nach wie vor eine Unterscheidung anhand eines Entity Attributs möglich. Ein Beispiel für einen entsprechenden Metadata Filter findet sich auf der Seite zur MDQ-Dokumentation.
- Um zu signalisieren, dass der Service Provider Verlässlichkeitsangaben benötigt und verarbeitet, die über das Attribut eduPersonAssurance transportiert werden, sollte in der Metadatenverwaltung unter Attribute Consuming Service das Attribut
eduPersonAssurance
alsisRequired=true
deklariert werden.
Apache Access Rules
The following example assumes that only staff members (staff
) of certain institutions, for whom $PREFIX$/ID/unique, $PREFIX$/IAP/medium und $PREFIX$/ATP/ePA-1m are met, are to be granted access to the resource protected by the service provider. The list of access-authorized identity providers or home institutions is defined via a metadata filter.
Please note: The attribute eduPersonAssurance
is mapped to a variable named assurance
by default in attribute-map.xml
, in case of eduPersonAffiliation
the variable is named unscoped-affiliation
.
- /etc/apache2/sites-enabled/sp.uni-beispiel.de.conf
<Location /protected> AuthType shibboleth ShibRequestSetting requireSession true <RequireAll> Require shib-attr unscoped-affiliation staff Require shib-attr assurance https://refeds.org/assurance/ID/unique Require shib-attr assurance https://refeds.org/assurance/IAP/medium Require shib-attr assurance https://refeds.org/assurance/ATP/ePA-1m </RequireAll> </Location>