SAML QoA Specification
Previously, application owners had to select the exact authentication methods (password, mTAN, AuthApp, Vasco, Kerberos, Smartcard, Mobile ID, FIDO security key) that the user could use to access the application. With the new QoA concept, the corresponding QoA class can be specified directly in the SAML "authnRequest", thus opening up the possibility of presenting the user with all authentication methods that at least correspond to this QoA level.
The information regarding the QoA concept can be found at: Quality of Authentication (QoA)
eIAM "AuthnContextClasses"
These are the new "AuthnContextClasses" to request authentication of a user:
| Authentication Level | AuthnContextClasses |
|---|
| QoA10 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:10 |
|---|
| QoA20 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:20 |
|---|
| QoA30 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:30 |
|---|
| QoA40 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:40 |
|---|
| QoA50 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:50 |
|---|
| QoA51 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:51 |
|---|
| QoA60 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:60 |
|---|
Example of an SAML authentication request "authnRequest"
urn:eiam.admin.ch:sp:eiamportal:testapplication-dev2-11
DUqT3f3n1/kcWER2TVXvFBFJxKg=
YnA4Wv6guVlSxhpRbOLs4AlEbgYM/M3krAvRkIKXGBzkldshtVV6vMC1cZg7kCt2jT2v8hVgBss9LoTq/3UjXqboX6/SAfrnOd6j4tdLFBBQIGz1n0PkWSofWPAAxBnr3gEQj0v7qDZzEiOjmOX7vAqoVLXsLcsbu10LJmfQnlxoEM9ij3hObiHo29TThZZFTW1uraBydnOY/ev7/rEfOuPJO1YDMcFmNkhi+ffqlXcWBGmjv8BH05Td91T47KfXyGBHwlfqgHMCtgOUWsE2AcG5J1UkttGFo0Em5oa/+ouMKW0OdlXCxINcwtc8b36GEPCF3vf+nUqCr/P6GOB8kw==
MIIEIDCCAwigAwIBAgIBDzANBgkqhkiG9w0BAQsFADA4MQswCQYDVQGEwJjaDEQMA4GA1UEChMH QWRub3Z1bTEXMBUGA1UEAxMOYml0ZWlhbS1kZXYyQ0EwHhcNMjAwODE4MTMxODIxWhcNMzAwODE2. MTMxODIxWjA8MQswCQYDVQQGEwJjaDEQMA4GA1UEChMHQWRub3Z1bTEbMBkGA1UEAxMSYXV0aFNp Z25lclRlc3RhcHBzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5RIVuFDdqJgDwat9 biWIPyvaDz1QmabjEOBnurv2jNmdanDAF1fwYRnD+Ul2uHewqvYwaFJPTkk2DTMr/OFJu2OKb3Px on3p9ZjsHdcl0b27QTBLPKSdDU14rdxy+ri9tVbXxFMASQo0a6hOfa+c/PGmm/UPH0ArPFKtNhsW aWOSgvQID0LfZLSqp6jeat70LTLl6kvctNEqJ1LzGD4eVYzJsr0GuapFvn49pNFaVVMV17avexOP A7RE4+2V2UAfIAfigl18EJml/RbeXgQQ7fxy7XXDa4qk7DcP6WmJD7vNWu5BzeYPzk9otJW8GT7s xUDzcCadGnP3nBkteO4JZwIDAQABo4IBLzCCASswCQYDVR0TBAIwADA/BglghkgBhvhCAQ0EMhYw TmV2aXMgS2V5Qm94IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZSB1c2luZyBPcGVuU1NMMAsGA1UdDwQE AwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFPcOc/YIn91O1EOs YaH7RQUDjDfBMGAGA1UdIwRZMFeAFI5PWQEokYEIKCDDqBr/DYHE9yCcoTykOjA4MQswCQYDVQQG EwJjaDEQMA4GA1UEChMHQWRub3Z1bTEXMBUGA1UEAxMOYml0ZWlhbS1yb290Q0GCAQYwEQYJYIZI AYb4QgEBBAQDAgbAMB0GA1UdEQQWMBSCEmF1dGhTaWduZXJUZXN0YXBwczANBgkqhkiG9w0BAQsF AAOCAQEAhGu2tM/Vi48BJCIZVCS5fcR3l/GjzeuBO7rJxRlfnD9PE3Apzn90R/Bv35mQpFHySx/T K12kaMf7QVYOGrKBprg+kai9e56Xs9P1OLgojVqTYMoe786ZyJow7KENdnymOHhPOr+4iFqL0Etf hj4vm5/mpU/oiQmhaCaSl79rLMBpN+Zzz962go/d6cWkPTr+GeJ8A/tAS7yhExvPYmGGUYQTaeXC 56iFeHfgLN9zlAFCDBx0cdXQBCH1Miwn5emuoMfpJIdNscfL//RmCyvw7O9Vjj1iX8+rctF4D4T6 PtCMUy15mIh3H3jcGLa1fiM5kevBS0hVXuOms5wlx6AsuQ==
urn:qoa.eiam.admin.ch:names:tc:ac:classes:20
To request a specific QoA level in a SAML authnRequest, one needs to add an AuthnContextClassRef (lines 26 to 30 in the example above) to the request. We consider the requested QoA level as the minimum. If the user reaches a higher level, we accept it and inform the application in the response.Example of "SAML-Response"
urn:eiam.admin.ch:pep:HARRODS-DEV2
Ci+FcNRYDIIXwwR2waNoCUl6P3TWOlytTKo7tIQ6rZw=
EQepX+ogleBb4IsllY+0Gn3NDO475wbvyPmX/rt7OkrKwMDeBKDFMs+YLW6nfFtY0vmQQuyFr5iyixGNjoglnHxr8BjxTtOvZ2hQUaRyUvdPhIKqudXwjrBSXuTn0MKVTte0DsM82mZwsBPJwgFfux6JNGO016ufDGj63jpQPlxCQKs4U4MRI7s65aF7zVtEFpWN8aU5rs6kqKuE9NDagDhzeRo/2d+7hGjjipRoUStfMJSEFyU3IHPA3LI9FUCc3XANdUPMOLVC4sAO/VJ4/YCCY6FLaZ5eB4nJDK+e76v9YRl/p2hC6R2UI0Kf7p4sm4oGSfEhFKWIzZ56HmPlaA==
MIIEFjCCAv6gAwIBAgIBCjANBgkqhkiG9w0BAQsFADA4MQswCQYDVQGEwJjaDEQMA4GA1UEChMH QWRub3Z1bTEXMBUGA1UEAxMOYml0ZWlhbS1kZXYyQ0EwHhcNMjAwODE4MTMxNzU2WhcNMzAwODE2. MTMxNzU2WjA3MQswCQYDVQGEwJjaDEQMA4GA1UEChMHQWRub3Z1bTEWMBQGA1UEAxMNYXV0aFNp Z25lclBFUDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqhL3TD9Ng0ijy1Dy+rP8Kc tVnMHgBhVcTEVCXfypr2BtwBgO66ZVUPzkfsQiCxX64a4qi+5/BFPpo8/A1lw2KjUbuQZffgLFe2 UdS6vMYVcF0bykJ564prtGLTF2LDca247DFSknlnSKJiiXBD9B6z8iQAM1QXRwLbxR5ZjYFe7Pwo Jok0jIepjqb7590XClyOvkkGLy7pk1ig2tAzlkm97WgvgY1P2bbug3jLObi/wgUACJ/YQ4/YJ8AZ QJuARdyNMGyHLh09bFTNS6r6k2FVBurqqA2VQr3ub/wHvXmIzaqKIMfaDOIGSk+lg14NqXfclL8z Q9EuS9CUCczYWw0CAwEAAaOCASowggEmMAkGA1UdEwQCMAAwPwYJYIZIAYb4QgENBDIWME5ldmlz IEtleUJveCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUgdXNpbmcgT3BlblNTTDALBgNVHQ8EBAMCA6gw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTzNo5TUubYZKsYYY1G2SjT9 U0IuPTBgBgNVHSMEWTBXgBSOT1kBKJGBCCggw6ga/w2BxPcgnKE8pDowODELMAkGA1UEBhMCY2gx EDAOBgNVBAoTB0Fkbm92dW0xFzAVBgNVBAMTDmJpdGVpYW0tcm9vdENBggEGMBEGCWCGSAGG+EIB AQQEAwIGwDAYBgNVHREEETAPgg1hdXRoU2lnbmVyUEVQMA0GCSqGSIb3DQEBCwUAA4IBAQDVqf8p /IZTO87Lfl6QS5i8V1ldm2fF28qwBphTy7qL2x6fUfo5+Tm9ws9ccdS9NKXoeQ1hnPJaNwH9PdCz iUts4z1ZB1aTPcvDB7PmojMmJZPE1PBrmMZWPK/przXTjkCEsjjVUmw0yKy67EHLTX+Z7p0Xy12v hcALq8OOHslsgvZ2oPdE+36qTZ+BU1DyyqJusJW/fW1QbPtdIStfd2q3ykABu5hICugF0EsYJTBW HL0rKmoRTYfnLshTYsf79tjH8fX+Wryr5mVytIo37wsmjsYrHcrhGsFlm64EfSWMK2b7HCBoGYzW HYKazYkhKc+roiAR9EALYlsNkpJ2XfZG
urn:eiam.admin.ch:pep:HARRODS-DEV2
rl7ZUdZqNOVMM0UT/dxA0yiMPELnsO3Z3dzeNengRpM=
g9k9XqeuFu91fWDdaTH8INj1hdi2lN5I/rTaoHjeS9LGktUWC2y7seubCTAO+S0v9GTyytdCq4LzTTHFw627uIeBKxbAQE0KnsiWbvob61UvjoBVW6KGvkK02ou3cQUWsoiUcTUmX/WDBMrSVsJ+Ld7aAK7wnd0Sgn4ynLlDjjwbZH+KjejeW5d9r6Kc8tUm4vsq6mbiOSWxqM9WsNA/cqJaUg9Xr1bKYA8Q6APHmm4b5tyuNOxsZzorobxQzoDtrpYaOQ5w6lQxy74TLoLIP43yhu0dAOttKsquMoJ+bDU1WXYEvWcPhIal/iAhl40QYnUlBIolfRRA75Lt4G8MZg==
MIIEFjCCAv6gAwIBAgIBCjANBgkqhkiG9w0BAQsFADA4MQswCQYDVQGEwJjaDEQMA4GA1UEChMH QWRub3Z1bTEXMBUGA1UEAxMOYml0ZWlhbS1kZXYyQ0EwHhcNMjAwODE4MTMxNzU2WhcNMzAwODE2. MTMxNzU2WjA3MQswCQYDVQGEwJjaDEQMA4GA1UEChMHQWRub3Z1bTEWMBQGA1UEAxMNYXV0aFNp Z25lclBFUDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqhL3TD9Ng0ijy1Dy+rP8Kc tVnMHgBhVcTEVCXfypr2BtwBgO66ZVUPzkfsQiCxX64a4qi+5/BFPpo8/A1lw2KjUbuQZffgLFe2 UdS6vMYVcF0bykJ564prtGLTF2LDca247DFSknlnSKJiiXBD9B6z8iQAM1QXRwLbxR5ZjYFe7Pwo Jok0jIepjqb7590XClyOvkkGLy7pk1ig2tAzlkm97WgvgY1P2bbug3jLObi/wgUACJ/YQ4/YJ8AZ QJuARdyNMGyHLh09bFTNS6r6k2FVBurqqA2VQr3ub/wHvXmIzaqKIMfaDOIGSk+lg14NqXfclL8z Q9EuS9CUCczYWw0CAwEAAaOCASowggEmMAkGA1UdEwQCMAAwPwYJYIZIAYb4QgENBDIWME5ldmlz IEtleUJveCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUgdXNpbmcgT3BlblNTTDALBgNVHQ8EBAMCA6gw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTzNo5TUubYZKsYYY1G2SjT9 U0IuPTBgBgNVHSMEWTBXgBSOT1kBKJGBCCggw6ga/w2BxPcgnKE8pDowODELMAkGA1UEBhMCY2gx EDAOBgNVBAoTB0Fkbm92dW0xFzAVBgNVBAMTDmJpdGVpYW0tcm9vdENBggEGMBEGCWCGSAGG+EIB AQQEAwIGwDAYBgNVHREEETAPgg1hdXRoU2lnbmVyUEVQMA0GCSqGSIb3DQEBCwUAA4IBAQDVqf8p /IZTO87Lfl6QS5i8V1ldm2fF28qwBphTy7qL2x6fUfo5+Tm9ws9ccdS9NKXoeQ1hnPJaNwH9PdCz iUts4z1ZB1aTPcvDB7PmojMmJZPE1PBrmMZWPK/przXTjkCEsjjVUmw0yKy67EHLTX+Z7p0Xy12v hcALq8OOHslsgvZ2oPdE+36qTZ+BU1DyyqJusJW/fW1QbPtdIStfd2q3ykABu5hICugF0EsYJTBW HL0rKmoRTYfnLshTYsf79tjH8fX+Wryr5mVytIo37wsmjsYrHcrhGsFlm64EfSWMK2b7HCBoGYzW HYKazYkhKc+roiAR9EALYlsNkpJ2XfZG
CH99999
urn:eiam.admin.ch:sp:eiamportal:testapplication-dev2-11
urn:qoa.eiam.admin.ch:names:tc:ac:classes:20
CH999999
99999
John
Doe
john.doe@bit.admin.ch
John Doe
en
99999
CH999999
uid=99999,ou=999.selfreg,ou=999.extern,o=999,o=EIAM,o=ADMIN,c=CH
urn:eiam.admin.ch:idp:e-id:CH-LOGIN-DEV2
true
HARRODS-guestautosilent.ALLOW
HARRODS-guestautosilent-ext.ALLOW
HARRODS-weakautosilent.ALLOW
John
Doe
john.doe@bit.admin.ch
John Doe
en
99999
999.access-request
AccessRequest
99999
99999\HARRODS-guestautosilent.ALLOW
99999\HARRODS-guestautosilent-ext.ALLOW
99999\HARRODS-weakautosilent.ALLOW
99999\999.access-request
99999\Profile-CHL9999999
CHL999999
99999\AccessRequest
CH99999
999
E-ID CH-LOGIN
