Policies: Level of Assurance (LOA)
LOA is Level of Assurance. ProtectNetwork provides UserID’s at two different levels of assurance. End-Users are assigned one of the two possible LOA values, namely, 1 and 2 depending on the level of identity vetting and proofing performed on user information.
LOA-1: Self-Asserted User Identity
This form of user identity consists of a username and password. The ProtectNetwork team does not provide a lower level of assurance regarding information provided to us (the ProtectNetwork team) by the end-user requesting such a UserID. End-user simply enters their personal information during UserID registration and a ProtectNetwork UserID is issued if they provide a valid and verifyable email address.
LOA-2: Sponsored User Identity
This form of user identity consists of a username and password and is issued to those users who are sponsored by an Enterprise ID Administrator. The Enterprise ID Administrator affirms to the ProtectNetwork team that they have followed adequate and appropriate IDM best practices before sponsoring such users in the ProtectNetwork service. Once such assurance and sponsorship is provided about the user, an LOA-2 userID is issued to such users and a special attribute indicating the LOA value is set during attribute exchange with trusted SAML service provider sites.
Sharing of Level of Assurance (LOA)
The LOA value is shared by Protectetwork with trusted Service Provider sites using a special attribute: http://protectnetwork.org/pn/loa
The permissible values for this attribute are:
- LOA-1
- LOA-2
A sample AAP.xml rule to accept this attribute would be:
<AttributeRule Name="http://protectnetwork.org/pn/loa" Header="Shib-PN-LOA" Alias="LOA"> <SiteRule Name="pnidm"> <Value>LOA-1</Value> <Value>LOA-2</Value> </SiteRule> </AttributeRule>