Anyone can create an eduID and manage his own data. If more assurance on the users's information is needed, SP's can request a certain trust-level when users are logging in at eduID. This can be done by setting the AuthnContextClassRef in the SAML or oidc request. At this time three different trust levels are supported.
<samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>https://eduid.nl/trust/linked-institution</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>
The SURFconext gateway (engineblock) passes this attribute to the eduID IdP and if the SP requests an account-link eduID checks if the user has previously made a link able to satisfy the request. If not then the user is asked to do so. When the account is linked the return value in the AuthenticationContextClassReference from the eduID response contains matches the requested value.
<saml:AuthnContext> <saml:AuthnContextClassRef>https://eduid.nl/trust/linked-institution</saml:AuthnContextClassRef> </saml:AuthnContext>
In OIDC-NG this value ends-up in the acr-claim.
ACR | Description | Attributes in the response* | Valid period | Store in eduID Profile |
---|---|---|---|---|
https://eduid.nl/trust/linked-institution | Require the user to be able to log in to any dutch educational institution connected to SURFconext. If no link has been made, or the link has expired, the user is requested to log in to an institution to validate his account. | eduID scoped identifier Self-asserted givenname Self-asserted surname self-asserted email Scoped affiliation(s) | 6 months | Scoped affiliation Timestamp of link eppn |
https://eduid.nl/trust/validate-names | Require the name of the user (givenname and surname) to be validated by an external IDP. This could be an educational institution or an external trusted party (e.g. Gouverment identity or financial institute). If multiple external IDP's are linked, the names provided by the last IDP are returned. | eduID scoped identifier Validated given name Validated surname self-asserted email Scoped affiliation(s) | 6 year for validated names 6 months for other attributes | Scoped affiliation Timestamp of link Validated names (Overwrites previous validated names, does not overwrite self asserted names) |
https://eduid.nl/trust/validate-names-external | Require the name of the user (givenname and surname) to be validated by an external (Not educational or research) party. The user can use iDIN or eIDAS to validate his information.
| eduID scoped identifier Validated given name Validated surname self-asserted email Date of Birth | 6 years | Timestamp of link Validated names (Overwrites previous validated names, does not overwrite self asserted names) Date of Birth |
https://eduid.nl/trust/affiliation-student | Require the user to have linked an IDP where his eduPersonAffiliation is 'student'. If no link with this affiliation has been made, or the link has expired, the user is requested to log in to an institution to validate his account. | eduID scoped identifier Self-asserted givenname self-asserted surname self-asserted email Scoped affiliation(s) | 6 months | Scoped affiliation Timestamp of link eppn |
https://refeds.org/profile/mfa | Request Multi Factor Authentication (MFA). Currently, this forces the user to use the eduID smartphone app to authenticate. If the user hasn't registered the app before, he is offered to do this now. | eduID scoped identifier Self-asserted givenname Self-asserted surname self-asserted email Scoped affiliation(s) | session | - |
* The Attribute Release Policy in SURFconext's EngineBlock will control the attributes released to the SP.
User facing explanation when linking is needed:
ACR | english | dutch |
---|---|---|
https://eduid.nl/trust/linked-institution | Your eduID account must be linked to a trusted party. | Je eduID-account moet zijn gekoppeld aan een vertrouwde instelling. |
https://eduid.nl/trust/validate-names | Your first name and last name must be verified by a trusted party. | Je voornaam en achternaam moeten worden geverifieerd door een vertrouwde instelling. |
https://eduid.nl/trust/affiliation-student | You must prove that you are following education in the Netherlands by linking your eduID account to a trusted party. | Je moet aantonen dat je in Nederland onderwijs volgt door je eduID-account te koppelen aan een vertrouwde instelling. |
https://refeds.org/profile/mfa | Login with the eduID app to ensure your identity. | Dienst Playground Client heeft een login verzocht met de eduID app om je identiteit te bevestigen. |