Assurance

On this page we've collected a number of resources on the quality (or level) of assurance of digital identities exchanged in federations like WAYF – i.e. the degree of trust service providers can have in the logins mediated by the federation from the user organisations, and how to describe that. A number of frameworks for assurance exist; but arguably the two most important dimensions in this concept are: how user organisations make sure the login means of a digital identity are delivered to the intended physical person (identity assurance level, “IAL”) – and with what means the user has identified herself in any specific session (authentication assurance level, “AAL”), typically with what and how many “factors”. A third dimension is how securely the evidence of a specific session (the login “token”) is mediated from user organisation to service provider, the so-called federation assurance level (“FAL”). But assurance can also be about e.g. how fresh the user data supplied are – all depending on the service provider's needs. In a login token, information on level of assurance normally is found within elements such as eduPersonAssurance, AuthnContext, acr, and amr. In WAYF, all assurance levels are, in principle, permitted – but any user organisation MUST specify, in the login token, a digit indicating the identity's level of assurance (see this page's description of eduPersonAssurance), and in addition SHOULD implement both the REFEDS MFA Profile and the REFEDS Assurance Framework, the international standard for assurance within research and higher education. It is always the responsibility of the service provider to check in the login token if the identity's assurance level is sufficient for the service sought access to.