Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
en:aai:assurance_sp [2022/04/27 15:43] Wolfgang Pempeen:aai:assurance_sp [2024/01/21 13:46] (current) Wolfgang Pempe
Line 3: Line 3:
  
 ===== First Steps and Requirements ===== ===== First Steps and Requirements =====
-**Please read the [[https://wiki.refeds.org/display/ASS/REFEDS+Assurance+Framework+ver+1.0|specification]]!** \\ If you have any questions, please contact the [[hotline@aai.dfn.de|DFN-AAI Team]].+**Please read the current version of the [[https://refeds.org/assurance|specification]]!** \\ If you have any questions, please contact the [[hotline@aai.dfn.de|DFN-AAI Team]].
  
 **Please perform a protection needs assessment for the resources protected by the service provider. On this basis, you decide which criteria of the REFEDS Assurance Framework are relevant for the respective Service Provider and on the basis of which values of the [[de:common_attributes#a14|eduPersonAssurance]] attribute the authorization decision has to be made (for which also other factors are usually decisive).** **Please perform a protection needs assessment for the resources protected by the service provider. On this basis, you decide which criteria of the REFEDS Assurance Framework are relevant for the respective Service Provider and on the basis of which values of the [[de:common_attributes#a14|eduPersonAssurance]] attribute the authorization decision has to be made (for which also other factors are usually decisive).**
Line 13: Line 13:
  
 ==== Metadata ==== ==== Metadata ====
-  * According to the [[en:aai:assurance#roadmap_for_the_changeover|roadmap]], there will no longer be metadata files separated by Degrees of Reliance as of 1.4.2022. The [[en:metadata|metadata]] of all productive Identity Providers in DFN-AAI is available at https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-idp-metadata.xml. The examples under [[en:production|productive operations]] have already been mofified accordingly. Until the end of 2022, differentiation based on an [[en:entity_attributes#degrees_of_reliance_of_idps|Entity Attribute]] is still possible. Examples of a corresponding metadata filter can be found on the [[en:aai:mdq#filter_idps_from_dfn-aai_advanced|MDQ documentation]] and [[en:production#sp_example|Production Environment]] pages.+  * According to the [[en:aai:assurance#roadmap_for_the_changeover|roadmap]], there will no longer be metadata files separated by Degrees of Reliance as of May 20th, 2022. The [[en:metadata|metadata]] of all productive Identity Providers in DFN-AAI is available at https://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml. The examples under [[en:production|productive operations]] have already been modified accordingly. Until the end of 2022, differentiation based on an Entity Attribute is still possible. Examples of a corresponding metadata filter can be found on the [[en:aai:mdq|MDQ documentation]] and [[en:production|Production Environment]] pages.
   * In order to signal that the Service Provider requires and processes assurance information transported via the [[de:common_attributes#a14|eduPersonAssurance]] attribute, the ''eduPersonAssurance'' attribute should be declared as ''isRequired=true'' in the metadata administration tool under Attributes Consuming Service.   * In order to signal that the Service Provider requires and processes assurance information transported via the [[de:common_attributes#a14|eduPersonAssurance]] attribute, the ''eduPersonAssurance'' attribute should be declared as ''isRequired=true'' in the metadata administration tool under Attributes Consuming Service.
 ==== Apache Access Rules ==== ==== Apache Access Rules ====
-In this example, access to the resources protected by the SP is granted to persons whose digital identity meets the conditions for $PREFIX$/IAP/medium and $PREFIX$/ATP/ePA-1m. This corresponds very roughly to the [[en:degrees_of_reliance|Degree of Reliance 'Advanced']]+In this example, access to the resources protected by the SP is granted to persons whose digital identity meets the conditions for $PREFIX$/IAP/medium and $PREFIX$/ATP/ePA-1m. 
  
 <file apache /etc/apache2/sites-enabled/sp.uni-beispiel.de.conf> <file apache /etc/apache2/sites-enabled/sp.uni-beispiel.de.conf>
Line 23: Line 23:
    ShibRequestSetting requireSession true    ShibRequestSetting requireSession true
    <RequireAll>    <RequireAll>
 +      Require shib-attr assurance https://refeds.org/assurance/IAP/medium
 +      Require shib-attr assurance https://refeds.org/assurance/ATP/ePA-1m
 +    </RequireAll>
 +</Location>
 +</file>
 +
 +As above - and the Service Provider only accepts the REFEDS Assurance Framework version 2.0. 
 +
 +<file apache /etc/apache2/sites-enabled/sp.uni-beispiel.de.conf>
 +<Location /protected>
 +   AuthType shibboleth
 +   ShibRequestSetting requireSession true
 +   <RequireAll>
 +      Require shib-attr assurance https://refeds.org/assurance/version/2
       Require shib-attr assurance https://refeds.org/assurance/IAP/medium       Require shib-attr assurance https://refeds.org/assurance/IAP/medium
       Require shib-attr assurance https://refeds.org/assurance/ATP/ePA-1m       Require shib-attr assurance https://refeds.org/assurance/ATP/ePA-1m
  • Last modified: 2 years ago