Level of assurance
Elektronische Toegangsdiensten distinguishes five different levels of assurance.
LoA | SAML2 AuthnContextClassRef element | |
---|---|---|
1 | Non existent | urn:etoegang:core:assurance-class:loa1 |
2 | Low | urn:etoegang:core:assurance-class:loa2 |
2+ | Low | urn:etoegang:core:assurance-class:loa2plus |
3 | Substantial | urn:etoegang:core:assurance-class:loa3 |
4 | High | urn:etoegang:core:assurance-class:loa4 |
Other values MUST NOT be used.
Refer to Betrouwbaarheidsniveaus for legal context, and Normenkader betrouwbaarheidsniveaus for level of assurance in the context of the eIDAS regulation (EU 2015/1502).
For the Level of Assurance communicated in assertions in Elektronische Toegangsdiensten technical interfaces, the following rules apply:
The AD MUST communicate the Level of Assurance at which the authentication was realized. This realization is the minimum of the Level of Assurance of the registration process of the authenticated user and the Level of Assurance of the authentication mechanism applied. An AD MUST NOT communicate a level for which it is not certified.
The MR MUST communicate the Level of Assurance of the registered authorization. A MR MUST NOT communicate a level for which it is not certified.
In case of a chain of authorizations, the MR MUST communicatie the minimum of the LoA of all Representation authorizations in the applicable chain (so far).
In case of a request for a portal service, a MR MUST communicate the Level of Assurance as the minimum Level of Assurance of all applicable service authorizations chosen by the user.
The HM MUST communicate the effective Level of Assurance of the combined assertions. The effective Level of assurance is the minimum of the LoA of the Authentication assertion and (if applicable) the LoA of the Representation authorization assertion(s).
The MR communicates two Levels of Assurance in its Assertion. A LevelOfAssurance (requested) and a LevelOfAssuranceUsed (actually obtained). The HM MUST use the LevelOfAssuranceUsed from the MR Assertion as the LoA of the Representation authorization.