Degrees of Reliance within the DFN-AAI

Service providers have different requirements concerning the protection and accessibility of their resources and therefore different requirements regarding the reliability and trustworthiness of authentication within the DFN-AAI. On the other hand, institutions interested in accessing those resources are using different procedures for identification, authentication and management of digital identities.

For these reasons, the DFN-AAI draws a distinction between different degrees of reliance: DFN-AAI Test (for testing purposes only), DFN-AAI Basic and DFN-AAI Advanced. The participating institutions / Home Organisations (i.e. Identity Providers) assign themselves to a certain degree as a declaration of conformity. The service providers chose the degree according to their individual needs in terms of protection of their resources. This ensures that users and resource providers get together at an adequate degree.

Please note that the Degree of Reliance does not necessarily refer to the complete IdM of a Home Organisation. It must be guaranteed that only those identities which conform to a certain Degree of Reliance are able to access a resource (service) requiring at least this Degree of Reliance. I.e. the Home Organisation has to make sure that only identities meeting the requirements of the Degree of Reliance “Advanced” are able to access a resource in DFN-AAI-Advanced.

Besides the aspects of trustworthy server-side communication ensured by digital certificates, the degrees of reliance are determined by the following three criteria:

  • I: The procedure with which the Home Organisation confirms the identity of the individual user,
  • A: The procedure with which a user identifies him/herself (authentication) before accessing a resource, and
  • D: Data management and processes implemented by the Home Organisation to maintain its members' digital identities.

The following tables determine the specific minimum requirements of each degree. This implies that procedures which are defined as minimum requirement of a higher degree are also acceptable for lower degrees.

2.1 Identification Procedure by the Home Organisation (I)

The Home Organisation has to assign unique digital identities to their users. In this context, it must ascertain the identity of each individual user. There are several acceptable procedures within the DFN-AAI for this purpose.

Degree Minimum Requirement Comments
Test any procedure the Home Organisation may use any procedure to ascertain the identity of its users - this degree is intended for testing purposes only
Basic identification by means of a response from a unique address (e.g. email, phone number, postal address) this procedure facilitates a quick and simple identification which may be sufficient for some resources - in this case a certain risk remains that the identity of the user could have been forged or stolen by an illegal third party
Advanced for identification, users must present themselves in person with an official ID. The enrolment and recruitment procedures established by the universities are considered as equivalent. by means of this procedure the identity can unequivocally be ascertained (example: enrolment of students presenting a certificate of qualification for university entrance, identity card, etc., entering into an employment contract including an adequate identity check, personal presentation with an identity card at a RA of the DFN-PKI, eID function of the nPa [“neuer Personalausweis”] or the so-called “Post-Ident” procedure)

2.2 Authentication Procedure (A)

In order to gain access to a certain resource, users must identify themselves to their Identity Management System (IdM) according to a specific procedure. There are several acceptable procedures in the context of the DFN-AAI.

Degree Minimum Requirement Comments
Test any procedure the Home Organisation may implement any procedure for user authentication - this degree is intended for testing purposes only
Basic authentication with a unique digital address this procedure facilitates a simple check which may be sufficient for some resources - in this case a certain risk remains that the identity of the user could have been forged or stolen by an illegal third party
Advanced authentication by means of a personal account with user ID and password or with a digital certificate which has been issued under sufficiently secure and trustworthy directives by means of this procedure a person can unequivocally be authenticated, provided that the account was created under sufficiently secure and trustworthy directives - as is e.g. the case with the digital certificates of the DFN-PKI “Global”

2.3 Data Management and Processes for Maintaining Digital Identities (D)

The Home Organisation has to maintain the digital identities of its users and is obliged to bring the user data up-to-date.

Degree Minimum Requirement Comments
Test any procedure the Home Organisation may implement any data management system and processes for maintaining its users' identities - this degree is intended for testing purposes only
Basic obliged to keep user data correct and bring it up-to-date within 3 months the participating institution has to guarantee the correctness of data and identities and ensure that any changes are committed within 3 months
Advanced obliged to keep user data correct and bring it up-to-date within 2 weeks the participating institution has to guarantee the correctness of data and identities and ensure that any changes are committed within 2 weeks

The degrees “Test”, “Basic” and “Advanced” are implemented as different sets of metadata within the DFN-AAI. The degree “Test” is intended for testing purposes only; the usage of this degree for production purposes is not permitted.
For technical details please refer to Metadata and Production Environment.

3.1 Classification of Resources

In the metadata administration tool the resource / service provider has to choose which degree of reliance he needs for his resource. Choosing the “Basic” degree means that IdPs with degrees “Basic” and “Advanced” can gain access, choosing “Advanced” means only IdPs with degree “Advanced” can gain access.

3.2 Declaration of conformity of the participating institutions

The Home Organisations use the metadata administration tool to declare to which degree their IdP conforms. The users of these institutions can then gain access to resources that were assigned to that degree by the resource providers (SPs). IdPs that conform to the “Advanced” degree have access to resources in “Advanced” and “Basic”, IdPs that only conform to “Basic” can only gain access to resources in “Basic”.

Example: If an institution wants to assign its IdP to DFN-AAI “Basic”, all three criteria (I), (A) and (D) must at least meet the requirements of degree “Basic”. If at least one criterion is not met, the assignment to DFN-AAI “Basic” is not permissible.

  • Last modified: 22 months ago