- AAF Core Attributes
- Number of values
- One or more
- Set of URIs that assert compliance with specific standards for
This attribute represents identity assurance profiles (IAPs), which are the set
of standards that are met by an identity assertion, based on the identity
provider's identity management processes, the type of authentication
credential used, the strength of its binding, etc. For identity assurance,
this refers to the strength of the processes used to identify the user at
the time of user registration. For token and credential management assurance,
this refers to the strength of the token used and the strength of the processes
used to manage tokens and credentials. Those establishing values for this
attribute should provide documentation explaining the semantics of the values.
The driving force behind the definition of this attribute is to enable
applications to understand the various strengths of different identity
management systems and authentication events and the processes and procedures
governing their operation and to be able to assess whether or not a given
transaction meets the requirements for access.
- A URN that resolves to the definition of the value used.
URNs must have format urn:mace:aaf.edu.au:iap:id:.[level], where level is a
value from 1 to 2, or urn:mace:aaf.edu.au:iap:authn:[level], where level is a
value from 0 to 2.
- Notes on usage
- There are different aspects to the concept of assurance,
including the strength of assurance in the user’s identity and the strength of
the method used to authenticate the user. In a SAML federation, it is possible
to use two attributes to differentiate these concepts. The AuthenticationMethod
attribute that is part of the SAML transaction can assert the strength of the
authentication method used in the transaction, and the eduPersonAssurance
attribute can assert the level of assurance in the user’s identity.
The Levels of
Assurance section provides a standard vocabulary to express both of these
concepts – the strength of assurance in the user’s identity and the strength
of the method used to authenticate the user.
- Notes on privacy
- Because a particular assurance value may be associated
with a small number of persons at an organisation, it may be prudent to remove
assurance information from data when performing anonymisation or