Copy of a thread from the Educause IdM work group Begin forwarded message:
From: Pål Axelsson <Pal.Axelsson@ITS.UU.SE> Date: October 9, 2008 4:04:29 PM CDT To: "IDM@LISTSERV.EDUCAUSE.EDU" <IDM@LISTSERV.EDUCAUSE.EDU> Subject: [IDM] SV: [IDM] SV: [IDM] level of assurance/in-person proofing ldap attribute Reply-To: Identity Management Constituent Group Discussion list <IDM@LISTSERV.EDUCAUSE.EDU
Hi again,
It's as usual very nice to have an open specification but I think that in a couple of years we'll see a harmonization on standard values for eduPersonAssurance. The reason I think that this will happen is primarily two. SPs want to have the same setup values for different customers in different federations. And local campus administrators do not want to handle multiple values due to the workload. I look forward to the process regarding this.
I've already seen an attempt define this type harmonization of LoA in an URN. There is a OASIS draft from July this year that in chapter 3 defines 4 URNs for NIST 800-63. The values are "urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:1", "urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:2", "urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:3" and "urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:4". For more information please see "Level of Assurance Authentication Context Profiles for SAML 2.0", http://wiki.oasis-open.org/security/SAML2LOAAuthnCtxProfile .
Pål Axelsson
-----Ursprungligt meddelande----- Från: Identity Management Constituent Group Discussion list [mailto:IDM@LISTSERV.EDUCAUSE.EDU] För Brendan Bellina Skickat: den 9 oktober 2008 19:08 Till: IDM@LISTSERV.EDUCAUSE.EDU Ämne: Re: [IDM] SV: [IDM] level of assurance/in-person proofing ldap attribute
The idea was to get an attribute in the spec so that people could start making use of it. It is non-restrictive because we did not want to limit its usefulness nor did we know each potential use case. So both federation defined values and local values are fine. SP's can disregard values they do not recognize.
Regards,
Brendan Bellina MACE-Dir chair University of Southern California
On Oct 9, 2008, at 8:36 AM, Jones, Mark B wrote:
I think the idea was that the values in this attribute should reference well known, well defined profiles. For instance InCommon Silver.
If a particular institution wanted to define their own values that is OK but it complicates negotiations between SP and IdP because you first have to understand the LoA profiles that going to be asserted.
-----Original Message----- From: Identity Management Constituent Group Discussion list [mailto:IDM@LISTSERV.EDUCAUSE.EDU] On Behalf Of Pål Axelsson Sent: Thursday, October 09, 2008 7:11 AM To: IDM@LISTSERV.EDUCAUSE.EDU Subject: [IDM] SV: [IDM] level of assurance/in-person proofing ldap attribute
Hi,
The problem with this grand solution is that it's dynamic and therefore the values will be different between schools. This is a multi-tier problem all service providers must learn the values for different schools. The solution for this is that in a federation the values is defined for level of assurance. If the a school is a member of different federations they have different values for each federation. It can solved with a value translator or that federations use the same value set.
Pål Axelsson
-----Ursprungligt meddelande----- Från: Identity Management Constituent Group Discussion list [mailto:IDM@LISTSERV.EDUCAUSE.EDU] För Caskey, Paul Skickat: den 8 oktober 2008 17:42 Till: IDM@LISTSERV.EDUCAUSE.EDU Ämne: Re: [IDM] level of assurance/in-person proofing ldap attribute
Hi Dave-
The latest rev of eduPerson (http://www.nmi- edit.org/eduPerson/internet2-mace-dir-eduperson-200806.html) contains eduPersonAssurance for listing Identity Assurance Profile(s) with which a user/IdP complies.
-----Original Message----- From: Identity Management Constituent Group Discussion list [mailto:IDM@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Alexander Sent: Wednesday, October 08, 2008 10:37 AM To: IDM@LISTSERV.EDUCAUSE.EDU Subject: [IDM] level of assurance/in-person proofing ldap attribute
Is there a standard ldap attribute people are using for level of assurance or to indicate in-person proofing?
It seems like schools are just putting something in their local eduPerson schema. Is this the current best practice?
Dave
-- Ohio University <http://edirectory.ohio.edu/?$search?uid=alexandd>
Alan Sill, Ph.D Senior Scientist, High Performance Computing Center Adjunct Professor of Physics TTU ==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 : ====================================================================