Skip to main content

eduPersonAssurance

WHAT IS EDUPERSONASSURANCE?

eduPersonAssurance is a multi-valued attribute representing identity assurance profiles (IAPs), which are the set of standards met by an identity assertion, based on the Identity Provider's identity management processes, the type of authentication credential used, and the strength of its binding. See REFEDS Assurance Framework for details.

We reference NIST SP800-63A for its definition on IAL (Identity Assurance Level) along with an implementation guideline including mapping between IAP and IAL from InCommon.

EDUPERSONASSURANCE FOR THE STANFORD COMMUNITY

ISO and Card Services have clarified that the card service requires identity proofing for each issued card which is then recorded in the Person Registry as suProxyCardNumber. When distributing cards in groups all delegates are required to go through the same identity proofing process (verified government-issued IDs) with the cardholder. This process asserts a "medium" level of assurance for users who have a suProxyCardNumber present in their corresponding Registry record.

Further discussion is underway as what additional processes and procedures are required to achieve IAP "high" assurance for certain individuals.

STANFORD IDP IMPLEMENTATION

The Stanford IdP will release the attribute eduPersonAssurance (urn:oid:1.3.6.1.4.1.5923.1.1.1.11) with the following values:

  • For users who have a valid suProxyCardNumber:

    https://refeds.org/assurance
    https://refeds.org/assurance/ATP/ePA-1m
    https://refeds.org/assurance/ID/eppn-unique-no-reassign
    https://refeds.org/assurance/IAP/low
    https://refeds.org/assurance/IAP/medium
    https://refeds.org/assurance/profile/cappuccino
    https://refeds.org/assurance/ID/unique
    
  • For users who do not have a suProxyCardNumber:

    https://refeds.org/assurance
    https://refeds.org/assurance/ATP/ePA-1m
    https://refeds.org/assurance/ID/eppn-unique-no-reassign
    https://refeds.org/assurance/IAP/low
    https://refeds.org/assurance/ID/unique
    

Availability

Currently, eduPersonAssurance is released to InCommon R&S members per data custodian's approval. Other service providers may request the release of this attribute through Data Owner Request form

Last modified