Identity Assurance Level

Identity Assurance Level (IAL) is a concept that allows you to choose how you would like to proof you customers' identities.

Requiring Identity Assurance Level

In order to require a specific IAL value you need to sign in to the Onegini Consumer Identity Access Manager and create or choose an existing Service Provider (Organisations -> Choose or create organisation -> Service Providers -> Choose or create Service Provider). In the form you can choose IAL value in General Information by changing value for Required Identity Assurance level. Possible value are 1, 2, 3 and 4. You can also set required IAL value via configuration API.

When a certain value is required by the Service Provider, user has to reach it during the authentication process.

Configuring provided Identity Assurance Level

Currently, user can increase IAL value by using a specific Identity Provider during authentication process. In order to configure IAL value that a certain Identity Provider provides you need to sign in to Onegini Consumer Identity Access Manager, go to Configuration tab and then choose Identity Providers subtab. Then choose and existing Identity Provider or define a new one. In the form, in General Inforation section you can choose IAL value by changing value for Identity Assurance level. Possible value are 1, 2, 3 and 4. Currently, it is impossible to set IAL value (value 1 is used) for:

• mobile login
• QR code login
• Action Token login

Reaching Identity Assurance Level

Identity Assurance Level is a value that is tied to every user. IAL value is an attribute attached to person. When user will use Identity Provider during the authentication flow, his IAL value will be set to IAL value which that Identity Provider offer only if that value increases, otherwise the value stays the same. This also means that person's IAL value cannot be lowered when a certain value was once reached.

When a user tries to reach some Service Provider but Identity Provider used in authentication flow does not provide high enough IAL value (and user still has not reached required value) then an additional page is shown to the user where person can choose which Identity Provider to use in order to reach required IAL value. This page will allow choosing Identity Provider only if coupling is enabled, i.e. both configuration options Automated external identity coupling enabled and Bind multiple social accounts with one CIM-account in Onegini Consumer Identity Access Manager -> Configuration -> Feature management. This can also be set via configuration API.

User's IAL value will also be updated if necessary when user decides to reset password, when person's password is set or when credentials API is used.

Requesting Identity Assurance Level

By default, required Identity Assurance Level depends on which Service Provider is being used in the authentication flow and what value is specified in its configuration. It is also possible to overwrite this value. In order to do it, SAML Service Provider should add an Onegini specific extension to the authentication request. The following XSD is defined for the SAML extension for identity assurance level:

<xs:schema elementFormDefault="qualified"
           xmlns:xs="http://www.w3.org/2001/XMLSchema"
           xmlns:ial="urn:com:onegini:saml:IdentityAssuranceLevel"
           targetNamespace="urn:com:onegini:saml:IdentityAssuranceLevel"
           version="1.0">
  <xs:element name="IdentityAssuranceLevel" type="ial:IdentityAssuranceLevelType"/>

  <xs:complexType name="IdentityAssuranceLevelType">
    <xs:sequence>
      <xs:element ref="ial:Value" minOccurs="0" maxOccurs="unbounded"/>
    </xs:sequence>
  </xs:complexType>

  <xs:element name="Value" type="ial:IdentityAssuranceLevelValueType"/>

  <xs:complexType name="IdentityAssuranceLevelValueType">
    <xs:sequence>
      <xs:element name="Value" type="xs:simpleType" maxOccurs="1"/>
    </xs:sequence>
  </xs:complexType>
</xs:schema>

Example request:

<?xml 
version="1.0" 
encoding="UTF-8"?>
<saml2p:AuthnRequest 
    AssertionConsumerServiceURL="https://s4-1.dev.onegini.me/saml/SSO" 
    Destination="https://idp-core.dev.onegini.me/saml/single-sign-on" 
    ForceAuthn="false" 
    ID="a1hjcc496996j5g717aiead6d1e7gi6" 
    IsPassive="false" 
    IssueInstant="2020-11-24T08:58:33.369Z" 
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Version="2.0" 
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer 
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spring:security:saml
    </saml2:Issuer>
    <md:Extensions 
        xmlns:md="urn:oasis:names:tc:SAML:2.0:protocol">
        <ial:IdentityAssuranceLevel 
            xmlns:ial="urn:com:onegini:saml:IdentityAssuranceLevel">
            <ial:Value>3</ial:Value>
        </ial:IdentityAssuranceLevel>
    </md:Extensions>
</saml2p:AuthnRequest>

Specified value needs to be between 1 and 4. Otherwise, it is ignored.

Examples

Scenario 1

Assume Service Provider (SP) requires Identity Assurance Level equal to 3 (RAIL=3) and Authentication Level 1 (RAAL=1). Onegini IdP has two Identity Providers configured - Username & Password (UnP) that offers Identity Assurance Level equal to 1 (IAL=1) and Eidas that offers Identity Assurance Level equal to 3 (IAL=3).

1. User tries to reach SP, but is not signed in. User is redirected to sign in page.
2. User registers and sets his UnP. Get IAL value 1.
3. User's IAL value is not high enough to reach SP. An additional page is displayed where user can choose Eidas Identity Provider to increase IAL value to 3.
4. User successfully signs in with Eidas and get IAL value 3. This value is high enough to reach SP, user is redirected to SP.

Scenario 2

This scenario assumes that user successfully completed Scenario 1.

1. User signs out.
2. User tries to reach SP, but is not signed in. User is redirected to sign in page.
3. User sign in with his UnP credentials. Users previously reached IAL value 3. This value is high enough for SP.
4. User successfully signs in and is redirect to SP.

Scenario 3

Assume Service Provider (SP) requires Identity Assurance Level equal to 3 (RAIL=3) and Authentication Level 2 (RAAL=2). Onegini Consumer Identity Access Manager has three Identity Providers configured:

• Username & Password (UnP) that offers Identity Assurance Level equal to 1 (IAL=1) and Authentication Assurance Level (AAL=1)
• DigiD that offers IAL=2 and AAL=2
• Eidas that offers IAL=3 and AAL=1

Additionally, step-up with Identity Providers is enabled and all other step-up methods have authentication level set to 1.

1. User tries to reach SP, but is not signed in. User is redirected to sign in page.
2. User registers with UnP IDP. His IAL value it 1, AAL value 2.
3. SP requires AAL value 2. Currently user has AAL value 1 which is too low for SP. User is redirected to step-up page.
4. On step-up page user signs in with DigiD. His AAL value in session has value 2 now which is high enough for SP. DigiD also provided IAL value 2, which is higher than value that user currently has. Users IAL has been raised to value 2, but is still not high enough.
5. User is redirected to additional page where user can choose Identity Provider which can be used to increase IAL value to 3. Only Eidas is available. User successfully signs in with Eidas. Users IAL is raised to 3, AAL is not lowered.
6. Required IAL and AAL values have been reached. User is successfully redirected to SP.