Assurance

[David Walker <>]

Welcome!

There's a lot involved in being certified for the assurance program, much of which is not technology.  Here are some useful references; they're all linked from the InCommon Assurance Program site at http://www.incommon.org/assurance/ .

• The Assurance FAQ:  http://www.incommon.org/assurance/faq.html
• The Identity Assurance Assessment Framework (IAAF):  http://www.incommon.org/docs/assurance/IAAF.pdf
• The Identity Assurance Profiles (IAP): http://www.incommon.org/docs/assurance/IAP.pdf

It may be tempting to read the IAP first, as it contains all of the requirements for Bronze and Silver certification, but read the IAAF first.  The IAAF provides context for the IAP and introduces a number of important concepts that can be confusing if you read the IAP first.

To answer your specific questions...

The IAP describes requirements for how you verify a person's identity, register that person in your IdMS, issue credentials, etc. before they can claim any assurance profile.  The IAP also has requirements for how authentication is done for the current session.  Typically, completion of the non-authentication requirements for a particular person is stored, as you said, in LDAP or some other data store. The authentication requirements, however, must be satisfied at the time an SP requests an assertion from your IdP.

The way this is communicated to an SP is in a SAML assertion, as the result of a SAML request from the SP.  Upon receiving a request for a particular assurance profile, the IdP looks up whether the user has met the non-authentication requirements, and then performs any necessary authentication.  "Assurance Enhancements for the Shibboleth Identity Provider":

https://spaces.internet2.edu/download/attachments/37650957/AssuranceReqShibIdP-19Apr2013.pdf?version=1&modificationDate=1366405685823

describes this process in agonizing detail.

David Walker

On Tue, 2013-09-10 at 20:34 +0000, XiaoXia Dong wrote:

Hello all,

 

I am new to this assurance list and would like to get some advice on how to implement the bronze/silver assurance.

 

In addition to adding info to metadata, how will you determine whether a given logged-in user is Silver/Bronze? And how will you communicate Silver/Bronze status to the SP? Do we need to store the Silver/Bronze status in LDAP or some other data store? Thanks.