For expressing the "strength" of the authentication and the identity of the user a assurance framework as described in NIST Special Publication 800-63-1 and ISO/IEC 29115 is used. The SURFconext Strong Authentication gateway will Support 3 Levels of assurance (LoA)
- LoA 1 : Password authentication through SURFconext at the user's home IdP
- LoA 2 : LoA 1 + SMS or Tiqr authentication
- LoA 3 : LoA 1 + YubiKey (hardware token) authentication
Each LoA is assigned a unique identifier. The following identifiers are used:
These identifiers are used in SAML protocol messages to communicate the LoA between the SURFconext Strong Authentication gateway and a SP.
- The SURFconext Strong Authentication gateway will report the actual LoA at which authentication was performed in a
AuthnContextClassRefelement in aAuthenticationContextin the SAMLAssertionthat the SP receives from the SURFconext Strong Authentication gateway after successful authentication. - A SP may request authentication at a specific LoA by specifying one of the defined LoA identifiers in a
AuthnContextClassRefelement in aRequestedAuthnContextin a SAMLAuthnRequest