REFEDS Assurance Framework - Service Provider

(general information on identity assurance)

Please read the specification!
If you have any questions, please contact the DFN-AAI Team.

Please perform a protection needs assessment for the resources protected by the service provider. On this basis, you decide which criteria of the REFEDS Assurance Framework are relevant for the respective Service Provider and on the basis of which values of the eduPersonAssurance attribute the authorization decision has to be made (for which also other factors are usually decisive).

Important Notes:

• The following configuration examples refer exclusively to Shibboleth Service Provider version 3.2.x
• These examples are intended as suggestions and should under no circumstances be adopted via copy + paste without reflection!

• According to the roadmap, there will no longer be metadata files separated by reliability classes as of 1.4.2022. The metadata of all productive identity providers in DFN-AAI is available at https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-idp-metadata.xml. The examples under productive operations have already been adjusted accordingly. Until the end of 2022, differentiation based on an entity attribute is still possible. An example of a corresponding metadata filter can be found on the MDQ documentation page.
• Laut Roadmap wird es ab 1.4.2022 keine nach Verlässlichkeitsklassen getrennten Metadatendateien mehr geben. Die Metadaten aller produktiven Identity Provider in der DFN-AAI sind unter https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-idp-metadata.xml verfügbar. Die Beispiele unter Produktivbetrieb sind bereits entsprechend angepasst. Bis Jahresende 2022 ist nach wie vor eine Unterscheidung anhand eines Entity Attributs möglich. Ein Beispiel für einen entsprechenden Metadata Filter findet sich auf der Seite zur MDQ-Dokumentation.
• In order to signal that the Service Provider requires and processes assurance information transported via the eduPersonAssurance attribute, the eduPersonAssurance attribute should be declared as isRequired=true in the metadata administration tool under Attributes Consuming Service.

The following example assumes that only staff members (staff) of certain institutions, for whom $PREFIX$/ID/unique, $PREFIX$/IAP/medium und $PREFIX$/ATP/ePA-1m are met, are to be granted access to the resource protected by the service provider. The list of access-authorized identity providers or home institutions is defined via a metadata filter.
Please note: The attribute eduPersonAssurance is mapped to a variable named assurance by default in attribute-map.xml, in case of eduPersonAffiliation the variable is named unscoped-affiliation.

/etc/apache2/sites-enabled/sp.uni-beispiel.de.conf

<Location /protected>
   AuthType shibboleth
   ShibRequestSetting requireSession true
   <RequireAll>
      Require shib-attr unscoped-affiliation staff
      Require shib-attr assurance https://refeds.org/assurance/ID/unique
      Require shib-attr assurance https://refeds.org/assurance/IAP/medium
      Require shib-attr assurance https://refeds.org/assurance/ATP/ePA-1m
    </RequireAll>
</Location>

• Comparison Guide to Identity Assurance Mappings for Infrastructures
• Making Identity Assurance and Authentication Strength Work for Federated Infrastructures