- Created by Ann Base, last modified by Ylva Andersson on Jan 23, 2023
In a federated scenario where Smart ID Digital Access component works as a SAML identity provider, service providers may ask for a certain Level of Assurance (LoA) by defining one or several corresponding SAML authentication contexts in the request to Digital Access during the authentication. Only those authentication methods that are qualified to provide the corresponding security are then shown to the user. With Digital Access you can assign one or several authentication contexts to each authentication method to define which LoA that is supported by a specific authentication method.
Digital Access only shows those authentication methods during the authentication, whose Authentication Context matches the values in the SAML request.
If none of the authentication methods supports the requested authentication context, all methods are shown to the user. This can happen if the service provider does not ask for a certain authentication context but allows one with higher level of assurance and therefore higher security.
In a SAML federated scenario where Digital Access acts as an IDP proxy, a similar behavior can be achieved by setting the LoA translation group property. LoA translation groups define the conditions when to convert the
AuthNContextClassRef in the SAML response to a new value.
A scenario when LoA translation groups can be useful is when a SAML IDP Proxy is used and the external IDP is unable to send back the expected
AuthNContextClassRef. This translation also works in case of Digital Access acting as a SAML IDP.
With Digital Access it is also possible to define authentication contexts used for signing. See Use authentication methods in Digital Access for signing over SAML.
- Log in to Digital Access Admin with an administrator account.
- Set up an authentication method, for example, Swedish Mobile BankID. For more information, see Set up authentication method in Digital Access.
- Open the Extended Properties tab.
- Click Add Extended Property...
- Select SAML Authentication Context from the Key drop-down menu.
Define authentication context(s) as a space separated list in the Value field. For example, http://id.elegnamnden.se/loa/1.0/loa3.
The most right defined authentication context in the list is sent back to the service provider if the authentication method used for authentication doesn't contain the requested value or if the request contains two or several of the authentication contexts that the authentication methods supports. Because of this, and if you define more than one authentication context, write them in a sorted order from left to right. The highest value at the most right.
- Click Save.
- Click Publish.
- Under Manage SAML Federation > Manage Global SAML federation settings, go to the Manage LoA Translation section.
- Click Add a Translation group...
- Add the Translate To, Translate from values and the SAML federation where you wish to apply this translation.
- Click Save.
- Click Publish.
This article includes updates for Smart ID 20.11 and Digital Access 6.3.0.