The SURFsecureID gateway supports three levels of assurance (LoA):
Each LoA is assigned to a identifier:
Pilot (test) | Production | |
---|---|---|
LoA 1 |
| http://surfconext.nl/assurance/loa1 |
LoA 2 | http://pilot.surfconext.nl/assurance/loa2 | http://surfconext.nl/assurance/loa2 |
LoA 3 | http://pilot.surfconext.nl/assurance/loa3 | http://surfconext.nl/assurance/loa3 |
These identifiers are used to communicate the strength of authentication between the SURFsecureID gateway and the Service Provider. The actual method of authentication (e.g. SMS + password) at the institutional IdP is not communicated.
AuthnContextClassRef
element in a AuthenticationContext
in the SAML Assertion
.AuthnContextClassRef
element in a RequestedAuthnContext
in a SAML AuthnRequest
. See SAML message examples for an example AuthnRequest
that requests authentication at a specific LoA.With Second Factor Only (SFO) Authentication "level" is used to indicate the authentication strength:
The following identifiers are used:
Pilot (test) | Production | |
---|---|---|
Level 2 | http://pilot.surfconext.nl/assurance/sfo-level2 | http://surfconext.nl/assurance/sfo-level2 |
Level 3 | http://pilot.surfconext.nl/assurance/sfo-level3 | http://surfconext.nl/assurance/sfo-level3 |