The SURFconext Strong Authentication gateway supports three levels of assurance (LoA):
- LoA 1: Only password authentication
- LoA 2: LoA 1 + SMS or Tiqr authentication
- LoA 3: LoA 1 + YubiKey (hardware token) authentication
Each LoA is assigned to a identifier:
Pilot (test) | Production | |
---|---|---|
LoA 1 | http://surfconext.nl/assurance/loa1 | |
LoA 2 | http://pilot.surfconext.nl/assurance/loa2 | http://surfconext.nl/assurance/loa2 |
LoA 3 | http://pilot.surfconext.nl/assurance/loa3 | http://surfconext.nl/assurance/loa3 |
These identifiers are used to communicate the strength of authentication between the SURFconext Strong Authentication gateway and the Service Provider. The actual method of authentication (e.g. SMS + password) is not communicated.
- The SURFconext Strong Authentication gateway will report the LoA at which authentication was performed to the SP in a
AuthnContextClassRef
element in aAuthenticationContext
in the SAMLAssertion
. - A SP may request authentication at a specific LoA by specifying the identifier in a
AuthnContextClassRef
element in aRequestedAuthnContext
in a SAMLAuthnRequest.
Second Factor Only (SFO) authentication
With Second Factor Only (SFO) Authentication "level" is used to indicate the authentication strength:
- Level 2: SMS or Tiqr authentication
- Level 3: YubiKey (hardware token) authentication
The following identifiers are used:
Pilot (test) | Production | |
---|---|---|
Level 2 | http://pilot.surfconext.nl/assurance/sfo-level2 | http://surfconext.nl/assurance/sfo-level2 |
Level 3 | http://pilot.surfconext.nl/assurance/sfo-level3 | http://surfconext.nl/assurance/sfo-level3 |