Advanced notice :
We will be upgrading wiki.geant.org from the current version of Confluence Server to the current LTS version 8.5. During the maintenance window we expect that there will be an outage of 20 minutes.
Maintenance start time: 22/10/2024 16:00 UTC. Maintenance end time: 22/10/2024 18:00 UTC.
...
- YES (and support of eduPersonAssurance attribute) - Do you have a LoA (schema) in place and which one?
- YES - Do you have contracts with IdPs?
- YES and NO, mostly in mother tongue - Do you require an Identity Management Practice Statement? Do you enforce it?
- Mostly only documentation, not enforced, some have self-audits or pairwise audits (WAYF as exception, as all public institutions are audited); NemID as national two-factor-authentication mechanism at WAYF - Do you require any audits/documentations for IdPs?
- NO and NO - Have you made any cost analysis for introducing (a higher) LoA? Is a higher LoA want from IdPs?
- NO - Any experiences, which costs IdPs have to make in order to achieve a specific LoA?
- Between none till high costs + High burden on the SP side to handle multiple LoA’s - in terms of knowledge needed and changing technical installations to support multi-LoA-policies. - Impacts on adopting LoA
...
- Do you have a LoA (schema) in place and which one? - Yes, as per <https://www.igtf.net/ap/loa/>
- Do you have contracts with IdPs? - No, but there are sanctions for not complying with the requirement (e.g. on attending policy meetings and meeting the self-assessment requirements) that will result in expulsion of an IdP from the federation.
- Do you require an Identity Management Practice Statement? Do you enforce it?- Yes, required and enforced.
- Do you require any audits/documentations for IdPs? - Yes, required for documentation. Audits in the sense of peer-reviewed self-assessment are required periodically, and additional scrutiny is performed on accession.
...
- Have you made any cost analysis for introducing (a higher) LoA? Is a higher LoA want from IdPs? - No assessment has been done - and for now no relying parties have requested a higher LoA than the one provided (i.e. higher than F2F+2FA)
- Any experiences, which costs IdPs have to make in order to achieve specific LoA? - This is unknown at a federation level, and is much country- and model-dependent. In most cases, the cost of LoA is distributed to the user who has to perform the F2F vetting
- Impacts on adopting LoA - Differentiated LoA has been introduced recently (adding a 'lower' "Identifier-Only" assurance level below the conventional F2F+real name), which has resulted in some relying parties and end-users being confused about the 'trustworthiness' of the credential. It is rather complex to explain to non-experts that within a single federation multiple LoA levels exist, and that these should not be automatically all treated as equal.