Home | About InCommon | Join InCommon

• Join InCommon
• Participants
• IAM Online
• CAMP and Advance CAMP
• Affiliates
• Certificate Service
• Policies and Practices
• Technical Information
• Software Guide
• Metadata and WAYF
• Site Administrator Info
• Frequently Asked Questions
• Benefits
• Site Administrator Login
• Collaboration Wiki
• Glossary
• Contact Us
• About

InCommon Assurance Technical Procedures

Final Draft

Technical elements

In the eduPerson schema, the eduPersonAssurance attribute is specified for inclusion in identity assertions to indicate to relying parties that an assertion has been issued under the conditions of a particular identity assurance profile.  InCommon defines values for the eduPersonAssurance attribute for use with the profiles defined in the InCommon Identity Assurance Framework.  These values are:

• http://incommonfederation.org/assurance/silver :  indicates Silver profile
• http://incommonfederation.org/assurance/bronze :  indicates Bronze profile

An InCommon Identity Provider which has been certified via the Framework has its entity information included on an informational web page:

• http://incommonfederation.org/assurance/silver :  for Silver profile
• http://incommonfederation.org/assurance/bronze :  for Bronze profile

(Note:  more formal technical means of indicating assurance status may be provided in the future.)

 Usage

An Identity Provider operated by an InCommon participant which has been certified via the InCommon Identity Assurance Framework includes an eduPersonAssurance attribute in a SAML identity assertion to indicate to relying parties that that assertion has been issued under the conditions of one or more assurance profiles using the values defined above.  Identity Providers which have not been certified must not include these values in assertions they send.

To restrict access to users complying with a particular assurance profile, a Service Provider (SP) operator works with operators of its partner IdPs to ensure that those IdPs will include the eduPersonAssurance attribute in the assertions they send to the SP, and that the IdPs have been certified to do so.  The SP operator implements processing logic to check (a) that the appropriate assurance value is present in the user's signon context and (b) that the asserting IdP is certified to assert that profile value.  Note that the SP might reject access if the assertion doesn't contain the desired profile value(s), or might offer access and take other steps to mitigate risk.

Email any questions to: incommon-info@incommonfederation.org
© Copyright 2010 InCommon, LLC. All Rights Reserved. InCommon is operated by Internet2.
Participation in InCommon is separate and distinct from membership in Internet2.