...
- Yes, we'll use the Assurance Profile doc methods. Note that this is SAML2-only.
Will the NIH gateway request LoA? : The SAML assurance profile permits the SP to request a particular LoA (with a choice of matching rules) in the AuthnRequest. This is not required; the IdP can be configured to know that a particular SP needs a particular LoA, and just send it. This however may not meet the NIH use case, because the NIH federation gateway serves many apps, some not requiring any LoA label today, some that will require (or prefer) LoA in the future. With no request, IdPs would have to send the highest LoA on any access, which could be a burden on the user, and could set a bad precedent for LoA pricing in the future. But it could be the easiest deployment for now. The next issue (profile mismatch) applies to requests too.
...
Use of Bronze/Level 1? : Under the existing MoU between InCommon and NIH, all InCommon IdPs are accepted as Level 1 without needing InCommon Bronze certification. Will this continue to be true indefinitely or will NIH be wanting Bronze certification for Level 1 equivalence at some point?
- Level 1 will continue to be qualifier-free as it is now. LoA will only be required for Level 2 / Silver.
Use of SHA256: FICAM would like its partners to move from SHA1 for signing to SHA256. This includes both signing assertions and signing metadata. (This is unrelated to LoA but is about InC-NIH interop.)
...