The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

LevelOfAssurance

Owned by Scott Cantor
Last updated: Dec 22, 2006Version comment
1 min read

Levels of Assurance and Shibboleth

The Level of Assurance(LOA) of an authentication, whether conveyed using a certificate, SAML assertion, or other mechanism, refers to the degree of confidence the issuer has that the authenticated entity corresponds to the proper holder of its associated key. In plain English, it's how certain you can be that the authenticated person is who they say they are. This is of interest to secure applications that require a high degree of confidence.

The LOA associated with an authentication depends on a large number of factors, with the weakest link in the process generally determining the maximum LOA that can be achieved. The provider/authority itself must operate with appropriately tight security and practices; the act of credential issuance must be done with sufficient rigor; and the token used to perform run-time authentication needs to be safe from a variety of attacks.

The U.S. Federal Government has done a large amount of work through NIST, OMB, and the eAuthentication initiatives to establish a numeric scale for LOA, generally ranging from 1 to 4. Documents that may be useful:

There should be a statement of LOA information in both the federation and providers' policies, as the authentication of the provider itself becomes an issue in federated identity. The LOA that is derived from these is then represented in the SAML assertion by including it as an attribute.

%COMMENT%