Skip to main content
Skip table of contents

Interface specifications and the interpretation of LOAs

The ETD framework uses the LOA quite loosely to define a level at which a login means or authorisation MUST be in order for a user to login. Because these LOA levels are defined in various locations around the framework, this page will give an overview of all of them and how they interact with each other.

Locations of LoA:

Location in AS

Field/location

Rationale

Service catalog

(AuthnContextClassRef )

This is the maximum LOA as defined by the DV. Means and authorisations need to have this LOA or higher to login. To be able to use all functionality of the service, the user needs to have means and authorisations of this LOA, or higher. The actual LOA needed can be defined in the request. See below.

Interface specifications DV-HM

(Request/RequestedAuthnContext/AuthnContextClassRef)

This allows a DV to override its own maximum LOA downward. Therefore can only be lower or equal than the one in the service catalog. Also known as the minimum-minimumLOA. (Minimal LOA for minimal functionality)

Interface specifications DV-HM

(Response/AuthnContextClassRef)

This is the LOA which is communicated back to the DV

Interface specifications HM-AD

(Request/RequestedAuthnContext)

This allows a DV to override its own maximum LOA downward. Therefore can only be lower or equal than the one in the service catalog. This is the minimum LOA needed for this specific login. This LOA is passed on by the HM.

Interface specifications HM-AD

(Response/AuthnStatement)

This communicates the level at which the user has authenticated himself. This level needs to be higher or equal to the level as stated in the service catalog or the request.

Interface specifications HM-MR

(Request/LevelOfAssurance)

This allows a DV to override its own maximum LOA downward. Therefore can only be lower or equal than the one in the service catalog. This is the minimum LOA needed for this specific login. This LOA is passed on by the HM.

Interface specifications HM-MR

(Response/LevelOfAssuranceUsed )

This communicates the level at which the authorisation was registered. This level needs to be higher or equal to the level as stated in the service catalog or the request.

Schematically the attributes are passed like this:

DV->HM

HM->AD

HM->MR

AD->HM

MR->HM

HM->DV

(Request/RequestedAuthnContext/AuthnContextClassRef)

(Request/RequestedAuthnContext)

(Request/LevelOfAssurance)

X

X

X

X

X

X

(Response/AuthnStatement)

(Response/LevelOfAssuranceUsed )

(Response/AuthnContextClassRef)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.