REFEDS Assurance Framework#

The REFEDS Assurance Framework (RAF) defines individual assurance components that describe a users identity. This allows differentiating between the quality of the ID-Vetting, attribute freshness and the uniqueness of the identifiers used.

Since today none of the existing IdPs support RAF, the idea is to do this on the proxy level. I.e. unity will convey information about the upstream authentication of the user. This is hard coded configuration that contains a priori knowledge about the upstream IdP and its procedures. For example will this allow us to characterise the upstream authentication and differentiate between ORCID users and those from (for example) KIT.

Currently defined are:

• ID-Uniqueness:

  • $PREFIX$/ID/unique
  • $PREFIX$/ID/no-eppn-reassign
  • $PREFIX$/ID/eppn-reassign-1y

• ID-Proofing:

  • $PREFIX$/IAP/low
  • $PREFIX$/IAP/medium
  • $PREFIX$/IAP/high
  • $PREFIX$/IAP/local-enterprise

• Attribute freshness:

  • $PREFIX$/ATP/ePA-1m
  • $PREFIX$/ATP/ePA-1d