Interface specifications and the interpretation of LOAs
The ETD framework uses the LOA quite loosely to define a level at which a login means or authorisation MUST be in order for a user to login. Because these LOA levels are defined in various locations around the framework, this page will give an overview of all of them and how they interact with each other.
Locations of LoA:
Location in AS | Field/location | Rationale |
---|---|---|
(AuthnContextClassRef ) | This is the maximum LOA as defined by the DV. Means and authorisations need to have this LOA or higher to login. To be able to use all functionality of the service, the user needs to have means and authorisations of this LOA, or higher. The actual LOA needed can be defined in the request. See below. | |
(Request/RequestedAuthnContext/AuthnContextClassRef) | This allows a DV to override its own maximum LOA downward. Therefore can only be lower or equal than the one in the service catalog. Also known as the minimum-minimumLOA. (Minimal LOA for minimal functionality) | |
(Response/AuthnContextClassRef) | This is the LOA which is communicated back to the DV | |
(Request/RequestedAuthnContext) | This allows a DV to override its own maximum LOA downward. Therefore can only be lower or equal than the one in the service catalog. This is the minimum LOA needed for this specific login. This LOA is passed on by the HM. | |
(Response/AuthnStatement) | This communicates the level at which the user has authenticated himself. This level needs to be higher or equal to the level as stated in the service catalog or the request. | |
(Request/LevelOfAssurance) | This allows a DV to override its own maximum LOA downward. Therefore can only be lower or equal than the one in the service catalog. This is the minimum LOA needed for this specific login. This LOA is passed on by the HM. | |
(Response/LevelOfAssuranceUsed ) | This communicates the level at which the authorisation was registered. This level needs to be higher or equal to the level as stated in the service catalog or the request. |
Schematically the attributes are passed like this:
DV->HM | HM->AD | HM->MR | AD->HM | MR->HM | HM->DV |
---|---|---|---|---|---|
(Request/RequestedAuthnContext/AuthnContextClassRef) | (Request/RequestedAuthnContext) | (Request/LevelOfAssurance) | X | X | X |
X | X | X | (Response/AuthnStatement) | (Response/LevelOfAssuranceUsed ) | (Response/AuthnContextClassRef) |