SURFsecureID uses Levels of Assurance (LoA) to express the strength of authentication. This page describes how a service or institution can request a LoA for a specific service or part of a service. Furthermore, the LoA identifiers differ between the environments and between the authentication method used.
A service can communicate the required LoA to the SURFsecureID gateway and verify the strength at which a user was authenticated.
There are three scenarios how to request a LoA, explained below. They can be combined: the gateway will use the scenario having the highest LoA.
1. Minimum LoA specified by the institution (static)
The institution requires, for a specific SP, its users always to be authenticated at a certain minimum LoA.
The institution must ask SURFnet to set this minimum. SURFnet will configure this on the SURFsecureID gateway.
2. Minimum LoA specified by SP (static)
The SP requires always a certain minimum LoA.
The SP must ask SURFnet to set this minimum. SURFnet will configure this on the SURFsecureID gateway.
3. LoA defined during authentication (dynamic)
A SP can request authentication at a certain LoA by specifying it in the SAML AuthnRequest. The SP can send this request to the gateway at any time, also when a user is already logged in. This makes it possible to raise the LoA for a user depending on the context, e.g. if the user wants to enter the admin part of the site.
The LoA is passed to the SURFsecureID gateway in an AuthnContextClassRef element in a RequestedAuthnContext element in the SAML AuthnRequest.
The requested LoA is interpreted as a minimum. The SURFsecureID gateway:
Assertion.The LoA identifiers are used in SAML messages communicating the LoA between the SURFsecureID gateway and SP. The actual method of authentication itself (e.g. SMS + password) is not communicated!
When using the standard authentication with SURFsecureID, three levels of assurance (LoA) are supported:
Each LoA is assigned to an identifier and is different for each type of environment used:
| Test | Pilot | Production | |
|---|---|---|---|
| LoA 1 | http://test.surfconext.nl/assurance/loa1 | http://pilot.surfconext.nl/assurance/loa1 | http://surfconext.nl/assurance/loa1 |
| LoA 2 | http://test.surfconext.nl/assurance/loa2 | http://pilot.surfconext.nl/assurance/loa2 | http://surfconext.nl/assurance/loa2 |
| LoA 3 | http://test.surfconext.nl/assurance/loa3 | http://pilot.surfconext.nl/assurance/loa3 | http://surfconext.nl/assurance/loa3 |
These identifiers are used to communicate the strength of authentication between the SURFsecureID gateway and the Service Provider. The actual method of authentication (e.g. SMS + password) at the institutional IdP is not communicated.
AuthnContextClassRef element in a AuthenticationContext in the SAML Assertion.AuthnContextClassRef element in a RequestedAuthnContext in a SAML AuthnRequest. See SAML message examples for an example AuthnRequest that requests authentication at a specific LoA.With Second Factor Only (SFO) Authentication "level" is used to indicate the authentication strength:
The following identifiers are used:
| Test | Pilot | Production | |
|---|---|---|---|
| Level 2 | http://test.surfconext.nl/assurance/sfo-level2 | http://pilot.surfconext.nl/assurance/sfo-level2 | http://surfconext.nl/assurance/sfo-level2 |
| Level 3 | http://test.surfconext.nl/assurance/sfo-level3 | http://pilot.surfconext.nl/assurance/sfo-level3 | http://surfconext.nl/assurance/sfo-level3 |