Skip to content

Institution Specific LoA

Jump to bottom Edit New page
Tim van Dijen edited this page Nov 22, 2022 · 2 revisions

Applying institution specific LoA requirements per SP

An institution is identified by the value of the schacHomeOrganization attribute. A user is assigned an institution during registration in the selfservice portal based on the value of the schacHomeOrganization attribute. The schacHomeOrganization attribute is mandatory for a login to the selfservice portal.

During a login to an other SP the schacHomeOrganization attribute may or may not be present, this depends on whether the IdP released this attribute.

There are three LoA levels defined. The actual identifiers used are installation dependent. We wil refer to them by <LoA1>, <LoA2> and <LoA3>:

  1. <LoA1> (also called intrinsic, no second factor is required)
  2. <LoA2>
  3. <LoA3>

To determine the LoA at which the user must be minimally be authenticated, and whether a user is allowed login, the information "inputs" below are used. Using this information the gateway decides the LoA at which a user must be authenticated before allowing login to a specific SP.

There are basically two methods for determining the LoA, which are combined using the principle that a LoA can only be raised and can never be lowered:

  1. The SP requests authentication at a specific minimal LoA
  2. On the gateway is a per SP per institution (i.e. organisation) configuration of the specific minimal LoA. A degenerated case is a minimal LoA per SP, regardless of the institution. This is the __default__ for an SP.

What makes the LoA determination more complex than we initially thought is that determining the institution (organisation) that a user belongs to is not always possible, and is not always possible with the same assurance. The key ingredients are:

  • Stepup was designed to determine the institution of the user based on a SAML attribute (i.e. the schacHomeOrganization attribute) which may not be present during authentication to the gateway. Omitting this attribute is a valid usecase.
  • Stepup uses JIT provisioning. It does not know all users.

We learned that special care must be taken to ensure that the unavailability of this attribute cannot lead to bypassing a per institution LoA requirement.

Flow diagram

The info (inputs) for determining the required LoA is:

  • <NameID>: The value of the NameID in the Subject of the Assertion from the IdP.
  • <IdP-SHO>: Value of the schacHomeOrganization attribute from the Assertion from the IdP.
  • <LoAs>: An associative array mapping schacHomeOrganization to LoA. This array is configured on the gateway for each SP.
  • <SP-LoA>: The value of the AuthnConextClassRef attribute in the AuthnRequest from the SP.
  • <User-SHO>: The schacHomeOrganization that the user belongs to, this is the schacHomeOrganization that was provided during registration of the token to the SP.

SP-specific-LoA-determination

Add a custom footer
Add a custom sidebar
Clone this wiki locally