<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Mischa, all,<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 30 Aug 2019, at 15:10, Mischa Salle <<a href="mailto:msalle@nikhef.nl" class="">msalle@nikhef.nl</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Hi Marcus,<br class=""><br class="">good that you bring this up!<br class="">We recently figured out (thanks to Roland for pointing me to it!) that<br class="">there is both "acr" and "amr", in addition to the REFEDS'<br class="">eduperson_assurance. Actually I'm not sure why we did not consider amr<br class="">during the RAF discussions. </div></div></blockquote><div><br class=""></div><div>The amr claim was actually brought up during the RAF discussions but the argument against using that claim was that amr is more related to the authentication, which is not covered by RAF. </div><br class=""><blockquote type="cite" class=""><div class=""><div class="">So perhaps you should produce something like<br class=""><br class=""> "acr" : "<a href="https://refeds.org/profile/sfa" class="">https://refeds.org/profile/sfa</a>",</div></div></blockquote><blockquote type="cite" class=""><div class=""><div class=""> "amr" : [<br class=""> "<a href="https://refeds.org/assurance/ATP/ePA-1d" class="">https://refeds.org/assurance/ATP/ePA-1d</a>",<br class=""> "<a href="https://refeds.org/assurance/ATP/ePA-1m" class="">https://refeds.org/assurance/ATP/ePA-1m</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/local-enterprise" class="">https://refeds.org/assurance/IAP/local-enterprise</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/low" class="">https://refeds.org/assurance/IAP/low</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/medium" class="">https://refeds.org/assurance/IAP/medium</a>",<br class=""> "<a href="https://refeds.org/assurance/ID/eppn-unique-no-reassign" class="">https://refeds.org/assurance/ID/eppn-unique-no-reassign</a>",<br class=""> "<a href="https://refeds.org/assurance/ID/unique" class="">https://refeds.org/assurance/ID/unique</a>",<br class=""> "<a href="https://refeds.org/assurance/profile/cappuccino" class="">https://refeds.org/assurance/profile/cappuccino</a>"<br class=""> ],<br class=""> "eduperson_assurance" : [<br class=""> "<a href="https://refeds.org/assurance/ATP/ePA-1d" class="">https://refeds.org/assurance/ATP/ePA-1d</a>",<br class=""> "<a href="https://refeds.org/assurance/ATP/ePA-1m" class="">https://refeds.org/assurance/ATP/ePA-1m</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/local-enterprise" class="">https://refeds.org/assurance/IAP/local-enterprise</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/low" class="">https://refeds.org/assurance/IAP/low</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/medium" class="">https://refeds.org/assurance/IAP/medium</a>",<br class=""> "<a href="https://refeds.org/assurance/ID/eppn-unique-no-reassign" class="">https://refeds.org/assurance/ID/eppn-unique-no-reassign</a>",<br class=""> "<a href="https://refeds.org/assurance/ID/unique" class="">https://refeds.org/assurance/ID/unique</a>",<br class=""> "<a href="https://refeds.org/assurance/profile/cappuccino" class="">https://refeds.org/assurance/profile/cappuccino</a>"<br class=""> ],<br class=""></div></div></blockquote><div><br class=""></div><div>Expressing SFA/MFA through the acr claim certainly makes sense. However, based on the example provided in Appendix B of RAF version 1.0, it should be sufficient to express the RAF values using just the eduperson_assurance claim.</div><br class=""><blockquote type="cite" class=""><div class=""><div class="">which is more or less what Nikhef is now producing.<br class="">Additionally we also add some information such as the IGTF assurance<br class="">profile OID (typically <a href="https://igtf.net/ap/authn-assurance/birch" class="">https://igtf.net/ap/authn-assurance/birch</a> /<br class="">urn:oid:1.2.840.113612.5.2.5.2) and authN type, e.g. something like<br class=""> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<br class="">or<br class=""> urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient<br class=""></div></div></blockquote><div><br class=""></div><div>I think that this type of information (e.g. PasswordProtectedTransport, TLSClient), which describes the actual authentication method, is probably a better fit for the amr claim. It is interesting that even in SAML, there are implementations that express this information through a custom "authnmethodsreferences" attribute:</div><div><a href="https://wiki.refeds.org/pages/viewpage.action?pageId=38895671" class="">https://wiki.refeds.org/pages/viewpage.action?pageId=38895671</a></div><div><br class=""></div><div>But for purely RAF assurance profiles and component values ($PREFIX$/ID/IAP/ATP/profile), using the eduperson_assurance claim seems to be the standard way.</div><div><br class=""></div><div>Cheers,</div><div>Nicolas</div><br class=""><blockquote type="cite" class=""><div class=""><div class="">(btw you're missing the 'assurance' part of the $PREFIX for cappuccino)<br class=""><br class="">See the OIDC core spec under IDToken, one but last claim,<br class=""><a href="https://openid.net/specs/openid-connect-core-1_0.html#IDToken" class="">https://openid.net/specs/openid-connect-core-1_0.html#IDToken</a><br class=""><br class=""> amr<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>OPTIONAL. Authentication Methods References. JSON array of<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>strings that are identifiers for authentication methods used in<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>the authentication. For instance, values might indicate that<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>both password and OTP authentication methods were used. The<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>definition of particular values to be used in the amr Claim is<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>beyond the scope of this specification. Parties using this claim<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>will need to agree upon the meanings of the values used, which<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>may be context-specific. The amr value is an array of case<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>sensitive strings.<br class=""><br class="">For your link [3], the latest version seems to be<br class="">https://wiki.refeds.org/display/CON/Consultation%3A+SAML2+and+OIDC+Mappings<br class=""><br class="">Cheers,<br class="">Mischa<br class=""><br class="">On Tue, Aug 27, 2019 at 02:09:48PM +0200, Marcus Hardt wrote:<br class=""><blockquote type="cite" class="">Hi There,<br class=""><br class="">we have a use case for using the Information of the REFEDS Assurance<br class="">Framework (RAF)[1] via OIDC.<br class=""><br class="">I.e. my home IdP issues me <br class=""><br class="">- https://refeds.org/assurance/ATP/ePA-1d<br class="">- https://refeds.org/assurance/ATP/ePA-1m<br class="">- https://refeds.org/assurance/IAP/local-enterprise<br class="">- https://refeds.org/assurance/IAP/low<br class="">- https://refeds.org/assurance/IAP/medium<br class="">- https://refeds.org/assurance/ID/eppn-unique-no-reassign<br class="">- https://refeds.org/assurance/ID/unique<br class="">- https://refeds.org/profile/cappuccino<br class=""><br class="">Question is how to get these into "OIDC"?<br class=""><br class="">Now, there is already some work done in the OIDCRE[2] group, that<br class="">resulted in this[3] google doc.<br class=""><br class="">[1]https://wiki.refeds.org/display/ASS/REFEDS+Assurance+Framework+ver+1.0<br class="">[2]https://wiki.refeds.org/display/GROUPS/OIDCre<br class="">[3]https://docs.google.com/document/d/1b-Mlet3Lq7qKLEf1BnHJ4nL1fq-vMe7fzpXyrq2wp08/edit<br class=""><br class=""><br class="">Two probelms kept us from putting this information (as a list) into<br class="">eduperson_assurance:<br class=""><br class="">1: Singlevaluedness (I'm not sure about this being so, but I was told)<br class="">2: ID Token: Assurance might rather belong into the ID Token (while from<br class=""> the research background we tend to put all into the userinfo endpoint.<br class=""><br class=""><br class="">Basically, I'm writing to find updated information, or to find a way to<br class="">close this item.<br class=""><br class=""><br class="">Cheers,<br class="">-- <br class="">Marcus.<br class=""></blockquote><br class=""><br class=""><br class=""><blockquote type="cite" class="">-- <br class="">openid-specs-rande mailing list<br class="">openid-specs-rande@lists.openid.net<br class="">http://lists.openid.net/mailman/listinfo/openid-specs-rande<br class=""></blockquote><br class=""><br class="">-- <br class="">Nikhef Room H155<br class="">Science Park 105 Tel. +31-20-592 5102<br class="">1098 XG Amsterdam Fax +31-20-592 5155<br class="">The Netherlands Email msalle@nikhef.nl<br class=""> __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..<br class="">-- <br class="">openid-specs-rande mailing list<br class="">openid-specs-rande@lists.openid.net<br class="">http://lists.openid.net/mailman/listinfo/openid-specs-rande<br class=""></div></div></blockquote></div><br class=""><div class="">
<div dir="auto" style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">--<br class="">Nicolas Liampotis<br class="">AAI Research Engineer</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">GRNET - Greek Research and Technology Network<br class="">7, Kifisias Av., 115 23, Athens, Greece</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">k: 0xAC118B82</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">t: +30 210 7474264<br class="">f: +30 210 7474490</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br class=""></div><div style="text-align: start; text-indent: 0px;">Follow us: <a href="http://www.grnet.gr" class="">www.grnet.gr</a><div class="">Twitter: @grnet_gr | Facebook: @grnet.gr</div><div class="">LinkedIn: grnet | YouTube: GRNET EDET</div></div></div></div></div>
</div>
<br class=""></body></html>