Anyone can create an eduID and manage his own data. If more assurance on the users's information is needed, SP's can request a certain trust-level when users are logging in at eduID. This can be done by setting the AuthnContextClassRef in the SAML or oidc request. At this time three different trust levels are supported.

<samlp:RequestedAuthnContext Comparison="exact">
	<saml:AuthnContextClassRef>https://eduid.nl/trust/linked-institution</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

The SURFconext gateway (engineblock) passes this attribute to the eduID IdP and if the SP requests an account-link eduID checks if the user has previously made a link able to satisfy the request. If not then the user is asked to do so. When the account is linked the return value in the AuthenticationContextClassReference from the eduID response contains matches the requested value.

<saml:AuthnContext>
	<saml:AuthnContextClassRef>https://eduid.nl/trust/linked-institution</saml:AuthnContextClassRef>
</saml:AuthnContext>

In OIDC-NG this value ends-up in the acr-claim.


ACRDescriptionAttributes in the response*Valid periodStore in eduID Profile
https://eduid.nl/trust/linked-institution

Require the user to be able to log in to any dutch educational institution connected to SURFconext. If no link has been made, or the link has expired, the user is requested to log in to an institution to validate his account.


eduID scoped identifier

Self-asserted givenname

Self-asserted surname

self-asserted email

Scoped affiliation(s)

6 months

Scoped affiliation

Timestamp of link

eppn

https://eduid.nl/trust/validate-names

Require the name of the user (givenname and surname) to be validated by an external IDP. This could be an educational institution or an external trusted party (e.g. Gouverment identity or financial institute).

If multiple external IDP's are linked, the names provided by the last IDP are returned.


eduID scoped identifier

Validated given name

Validated surname

self-asserted email

Scoped affiliation(s)

6 year for validated names

6 months for other attributes

Scoped affiliation

Timestamp of link

Validated names (Overwrites previous validated names, does not overwrite self asserted names)


https://eduid.nl/trust/validate-names-external

Require the name of the user (givenname and surname) to be validated by an external (Not educational or research) party. The user can use iDIN or eIDAS to validate his information.


*  This feature is currently being developed, and will be available soon.

eduID scoped identifier

Validated given name

Validated surname

self-asserted email

Date of Birth

6 years

Timestamp of link

Validated names (Overwrites previous validated names, does not overwrite self asserted names)

Date of Birth

https://eduid.nl/trust/affiliation-student


Require the user to have linked an IDP where his eduPersonAffiliation is 'student'. If no link with this affiliation has been made, or the link has expired, the user is requested to log in to an institution to validate his account.

eduID scoped identifier

Self-asserted givenname

self-asserted surname

self-asserted email

Scoped affiliation(s)

6 months

Scoped affiliation

Timestamp of link

eppn

https://refeds.org/profile/mfa 

Request Multi Factor Authentication (MFA). Currently, this forces the user to use the eduID smartphone app to authenticate. If the user hasn't registered the app before, he is offered to do this now.


eduID scoped identifier

Self-asserted givenname

Self-asserted surname

self-asserted email

Scoped affiliation(s)

session-





 * The Attribute Release Policy in SURFconext's EngineBlock will control the attributes released to the SP.



User facing explanation when linking is needed:

ACRenglishdutch
https://eduid.nl/trust/linked-institutionYour eduID account must be linked to a trusted party.Je eduID-account moet zijn gekoppeld aan een vertrouwde instelling.
https://eduid.nl/trust/validate-namesYour first name and last name must be verified by a trusted party.Je voornaam en achternaam moeten worden geverifieerd door een vertrouwde instelling.
https://eduid.nl/trust/affiliation-studentYou must prove that you are following education in the Netherlands by linking your eduID account to a trusted party.Je moet aantonen dat je in Nederland onderwijs volgt door je eduID-account te koppelen aan een vertrouwde instelling.
https://refeds.org/profile/mfaLogin with the eduID app to ensure your identity.Dienst Playground Client heeft een login verzocht met de eduID app om je identiteit te bevestigen.



  • No labels