Flowchart (version 0.1)Introduction
In the context of SAML-based national identity federations there has been an increasing need for learning more about a user's Level of Assurance (LoA) when it comes to identity vetting and authentication security. A few national identity federations have started to introduce services that increase the LoA of a user. All such services known today work using a proxy architecture. There is a component (the proxy) inserted between the user's Identity Provider (IdP) and the Service Provider (SP) which requires LoA information. The proxy then intercepts the user's SAML assertion and forces the user to use a second authentication factor before he can proceed to the actual service that needs LoA information. In case of the SURFconext Strong Authentication service, not only the authentication security is increased but also the identity vetting strength, as it requires the user initially to go through an identity vetting process with in-personam passport validation.
...
In the above flow it is assumed that the registration of a second factor and any identity vetting mechanics have taken place prior to this login flow.FIXME: Diagram of this flow
Flowchart: loa-aa-flow_v0.1.pdf
Weaknesses/Limitations
- Only works with SAML implementations supporting SAML Attribute Query (+ AttributeChecker mechanism) like Shibboleth
- Upfront configuration effort higher than with proxy
...