Nexus Documentation

Space shortcuts

Page tree

Versions Compared

Old Version 3

changes.mady.by.user Karolin Hemmingsson

Saved on

compared with

New Version Current

changes.mady.by.user Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: New information added about LoA translation groups for DA 6.3.0.

In a federated scenario where Smart ID Digital Access component works as a SAML identity provider, service providers may ask for a certain Level of Assurance (LoA) by defining one or several corresponding SAML authentication contexts in the request to Digital Access during the authentication. Only those authentication methods that are qualified to provide the corresponding security are then shown to the user. With Digital Access you can assign one or several authentication contexts to each authentication method to define which LoA that is supported by a specific authentication method.

Digital Access only shows those authentication methods during the authentication, whose Authentication Context matches the values in the SAML request.

If none of the authentication methods supports the requested authentication context, all methods are shown to the user. This can happen if the service provider does not ask for a certain authentication context but allows one with higher level of assurance and therefore higher security.

In a SAML federated scenario where Digital Access acts as an IDP proxy, a similar behavior can be achieved by setting the LoA translation group property. LoA translation groups define the conditions when to convert the AuthNContextClassRef in the SAML response to a new value. 

A scenario when LoA translation groups can be useful is when a SAML IDP Proxy is used and the external IDP is unable to send back the expected AuthNContextClassRef. This translation also works in case of Digital Access acting as a SAML IDP.

With Digital Access it is also possible to define authentication contexts used for signing. See Use authentication methods in Digital Access for signing over SAML.

Expandall

Step-by-step instructions

Expand
titleLog in to Digital Access Admin
  1. Log in to Digital Access Admin with an administrator account.


Expand
titleSet up authentication method with authentication context
  1. Set up an authentication method, for example, Swedish Mobile BankID. For more information, see Set up authentication method in Digital Access.
  2. Open the Extended Properties tab.
  3. Click Add Extended Property...
  4. Select SAML Authentication Context from the Key drop-down menu.

  5. Define authentication context(s) as a space separated list in the Value field. For example, http http://id.elegnamnden.se/loa/1.0/loa3.

    Note

    The most right defined authentication context in the list is sent back to the service provider if the authentication method used for authentication doesn't contain the requested value or if the request contains two or several of the authentication contexts that the authentication methods supports. Because of this, and if you define more than one authentication context, write them in a sorted order from left to right. The highest value at the most right. 


  6. Click Save.
  7. Click Publish.


Expand
titleOptional: Create access rule
Before the authentication methods that match the authentication context are selected, configured access rules will be validated and pre-filter the list of available authentication methods. To configure access rules for a federation, see Access rules in Digital Access.


Expand
titleSet up LoA translation groups
  1. Under Manage SAML Federation > Manage Global SAML federation settings, go to the Manage LoA Translation section.
  2. Click Add a Translation group...
This article is valid
  1. Add the Translate To, Translate from values and the SAML federation where you wish to apply this translation.
  2. Click Save.
  3. Click Publish.


This article includes updates for Smart ID 20.11 and laterDigital Access 6.3.0.

Related information