| Description | Set of URIs that assert compliance with specific standards for identity assurance.
This multi-valued attribute represents identity assurance profiles (IAPs), which are the set of standards that are met by an identity assertion, based on the identity provider's identity management processes, the type of authentication credential used, the strength of its binding, etc. Those establishing values for this attribute should provide documentation explaining the semantics of the values. As a multi-valued attribute, relying parties may receive multiple values and should ignore unrecognized values. The driving force behind the definition of this attribute is to enable applications to understand the various strengths of different identity management systems and authentication events and the processes and procedures governing their operation and to be able to assess whether or not a given transaction meets the requirements for access. |
|---|---|
| Format | A URN that resolves to the definition of the value used. |
| Classification | Security attributes and keys |
| Origin/ObjectClass | eduPerson |
| OID | 1.3.6.1.4.1.5923.1.1.1.11 |
| SAML attribute name | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 |
| LDAP syntax | directoryString [1.3.6.1.4.1.1466.115.121.1.15] |
| Number of values | multiple |
| Example values | eduPersonAssurance: urn:mace:caudit.edu.au:iap:id:1 eduPersonAssurance: urn:mace:caudit.edu.au:iap:id:2 |
| Notes on usage | There are different aspects to the concept of assurance, including the strength of assurance in the user's identity and the strength of the method used to authenticate the user. In a SAML federation, it is possible to use two attributes to differentiate these concepts. The AuthenticationMethod attribute that is part of the SAML transaction can assert the strength of the authentication method used in the transaction, and the eduPersonAssurance attribute can assert the level of assurance in the user's identity. The SAML AuthenticationMethod attribute is not listed as part of this document's attribute vocabulary because it is not an attribute about the user and is not stored in an organisation's LDAP directory - it is related to the authentication transaction.
Section 5 of this document provides a standard vocabulary to express both of these concepts - the strength of assurance in the user's identity and the strength of the method used to authenticate the user. The CAUDIT URN namespace shown in the examples above contains the definitions of the values in the standard vocabulary. Applications using this vocabulary may choose to use the CAUDIT URNs directly or may create their own URN namespace with the value definitions. |
| Available |  |
| Source | Static (see note) |
 | Only assurance level 1. UniSA currently only returns an assurance level of 1 (urn:mace:caudit.edu.au:iap:id:1) for all users, until such time as a higher assurance level is needed. |