Since 2023, service providers can require a certain assurance level of an identity when logging in.
The IDP of the University of Stuttgart transmits the following assurance classes when logging in:
(IAP = Identity Assurance Profile)
- IAP/low, for all members of the University of Stuttgart (employees and students)
- IAP/medium, if an additional identity check has been carried out and documented in the SIAM database (see below)
- IAP/high: (currently not assigned, electronic ID required, see below)
In general, employee accounts are assigned the following attributes from the Assurance Framework:
- https://refeds.org/assurance/ID/unique
The identifier "eppn" (eduPersonPrincipalName) is unique within the university. - https://refeds.org/assurance/ID/no-eppn-reassign
eppn's that were/are already in use are not reassigned to other accounts - https://refeds.org/assurance/IAP/local-enterprise
The reliability is sufficient for logging in to the university's administrative systems - https://refeds.org/assurance/ATP/ePA-1m and
https://refeds.org/assurance/ATP/ePA-1d
Changes to persons and accounts are transferred to all systems within one day
Student accounts are always assigned the following attributes from the Assurance Framework:
- https://refeds.org/assurance/ID/unique
- https://refeds.org/assurance/ID/no-eppn-reassign
- https://refeds.org/assurance/ATP/ePA-1m und
https://refeds.org/assurance/ATP/ePA-1d
If the person's identity has not yet been verified by IZUS/TIK, each account of this person is also assigned reliability class
https://refeds.org/assurance/IAP/low
If an identity check has been documented in IZUS/TIK, the reliability class changes to
https://refeds.org/assurance/IAP/medium
The class https://refeds.org/assurance/IAP/high will be offered in future if validation with an electronic ID (eID) has been implemented.
If you require the reliability class medium for a successful login to a service, you must have an identity check carried out as described below.
Background to this change
Until 2023, identity providers (IDPs) within the DFN-AAI (and also within EduGAIN) were assigned to a reliability class, meaning that each person automatically received the reliability class of the IDP used to log in. For the IDP of the University of Stuttgart, this was the reliability class "advanced".
In 2023, this approach was changed to the REFEDS Assurance Framework, which now defines reliabilities per person and their user accounts. The assurance classes of an identity are now:
- IAP/low
- IAP/medium
- IAP/high
Identity check at the University of Stuttgart
As a rule, the University of Stuttgart does not check the identity of a person being hired by means of an identification document (identity card, passport). However, this is a prerequisite for the delivery of the reliability class "medium". For this reason, the IDP can generally only deliver the reliability class "low" for logins.
Persons whose identity has already been checked, e.g. when applying for certificates, are assigned the reliability class "medium".
You can currently (as of 09/2023) obtain the reliability class "medium" if you have an identity check carried out at one of the following locations:
- IZUS/TIK, Allmandring 30a
- IZUS/TIK, Breitscheidstr. 2b
- BERA, Pfaffenwaldring 57, Room 0.704
Please make an appointment by sending an e-mail to our support address:
pki-support@tik.uni-stuttgart.de
It is planned to display a person's identity verification level in the self-service (SIAM) in the future.
References and sources:
- DFN Reliability: https://doku.tid.dfn.de/en:aai:assurance
- REFEDS Assurance Framework: https://wiki.refeds.org/display/ASS/REFEDS+Assurance+Framework+ver+1.0
- eIDAS assurance level: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015R1502&from=EN