Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
en:degrees_of_reliance [2019/12/20 12:56] – Wolfgang Pempe | en:degrees_of_reliance [2023/01/12 19:42] (current) – removed Wolfgang Pempe | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Degrees of Reliance within the DFN-AAI ====== | ||
- | ===== 1 Introduction ===== | ||
- | Service providers have different requirements concerning the protection and accessibility of their resources and therefore different requirements regarding the reliability and trustworthiness of authentication within the DFN-AAI. On the other hand, institutions interested in accessing those resources are using different procedures for identification, | ||
- | |||
- | For these reasons, the DFN-AAI draws a distinction between different degrees of reliance: DFN-AAI Test (for testing purposes only), DFN-AAI Basic and DFN-AAI Advanced. The participating institutions / Home Organisations (i.e. Identity Providers) assign themselves to a certain degree as a declaration of conformity. The service providers chose the degree according to their individual needs in terms of protection of their resources. | ||
- | This ensures that users and resource providers get together at an adequate degree. | ||
- | |||
- | **Please note that the Degree of Reliance does not necessarily refer to the complete IdM of a Home Organisation. | ||
- | |||
- | ===== 2 Minimum Requirements of the Different Degrees of Reliance ===== | ||
- | Besides the aspects of trustworthy server-side communication ensured by digital certificates, | ||
- | * **I:** The procedure with which the Home Organisation confirms the identity of the individual user, | ||
- | * **A:** The procedure with which a user identifies him/herself (authentication) before accessing a resource, and | ||
- | * **D:** Data management and processes implemented by the Home Organisation to maintain its members' | ||
- | |||
- | The following tables determine the specific **minimum requirements** of each degree. This implies that procedures which are defined as minimum requirement of a higher degree are also acceptable for lower degrees. | ||
- | |||
- | ==== 2.1 Identification Procedure by the Home Organisation (I) ==== | ||
- | <callout type=" | ||
- | The requirements mentioned below only refer to the procedures for onboarding identities like enrolment of students. \\ | ||
- | **Procedures for resetting passwords are not subject of the Degrees of Reliance!** | ||
- | </ | ||
- | The Home Organisation has to assign unique digital identities to their users. | ||
- | ^ Degree | ||
- | ^ Test | any procedure | the Home Organisation may use any procedure to ascertain the identity of its users - this degree is intended for testing purposes only | | ||
- | ^ Basic | identification by means of a response from a unique address (e.g. email, phone number, postal address) | this procedure facilitates a quick and simple identification which may be sufficient for some resources - in this case a certain risk remains that the identity of the user could have been forged or stolen by an illegal third party | | ||
- | ^ Advanced | for identification, | ||
- | |||
- | ==== 2.2 Authentication Procedure (A) ==== | ||
- | In order to gain access to a certain resource, users must identify themselves to their Identity Management System (IdM) according to a specific procedure. There are several acceptable procedures in the context of the DFN-AAI. | ||
- | ^ Degree | ||
- | ^ Test | any procedure | the Home Organisation may implement any procedure for user authentication - this degree is intended for testing purposes only | | ||
- | ^ Basic | authentication with a unique digital address | this procedure facilitates a simple check which may be sufficient for some resources - in this case a certain risk remains that the identity of the user could have been forged or stolen by an illegal third party | | ||
- | ^ Advanced |authentication by means of a personal account with user ID and password or with a digital certificate which has been issued under sufficiently secure and trustworthy directives | by means of this procedure a person can unequivocally be authenticated, | ||
- | |||
- | ==== 2.3 Data Management and Processes for Maintaining Digital Identities (D) ==== | ||
- | The Home Organisation has to maintain the digital identities of its users and is obliged to bring the user data up-to-date. | ||
- | ^ Degree | ||
- | ^ Test | any procedure | the Home Organisation may implement any data management system and processes for maintaining its users' identities - this degree is intended for testing purposes only | | ||
- | ^ Basic | obliged to keep user data correct and bring it up-to-date within 3 months | the participating institution has to guarantee the correctness of data and identities and ensure that any changes are committed within 3 months | | ||
- | ^ Advanced | obliged to keep user data correct and bring it up-to-date within 2 weeks | the participating institution has to guarantee the correctness of data and identities and ensure that any changes are committed within 2 weeks | | ||
- | |||
- | ===== 3 Assignment to a Degree of Reliance ===== | ||
- | The degrees " | ||
- | For technical details please refer to [[en: | ||
- | |||
- | ==== 3.1 Classification of Resources ==== | ||
- | In the metadata administration tool the resource / service provider has to choose which degree of reliance he needs for his resource. Choosing the " | ||
- | |||
- | ==== 3.2 Declaration of conformity of the participating institutions ==== | ||
- | The Home Organisations use the metadata administration tool to declare to which degree their IdP conforms. The users of these institutions can then gain access to resources that were assigned to that degree by the resource providers (SPs). IdPs that conform to the " | ||
- | |||
- | **Example: | ||