The use of eduPersonAssurance (EN)

The eduPersonAssurance attribute is used to express the "quality" of an account's value in terms of identity management. For example, it indicates the level of identity vetting and whether identifiers can be reused over time.

The content always consists of one or more values (URLs) based on the international REFEDS Assurance Framework, which can express aspects such as:

• Whether an issued identifier (such as eduPersonPrincipalName) can ever be reassigned, and if so, after how much time.

• How thoroughly the identity of the account holder has been verified in relation to the attribute values, such as name.

• How quickly an account is revoked after the user's rights are terminated.

Each institution must compare its identity management practices against this standard to determine which values it can release. The institution (identity provider) guarantees that accounts claiming a particular value actually meet the stated criteria.

SURFconext itself does not process the value of this attribute. Its significance comes from the fact that certain service providers require it or interpret its meaning.

Service Providers Requesting this Attribute

• National Institutes of Health (PubMed): The National Institutes of Health (NIH) service provider supports various services. Some of these services require a eduPersonAssurance value. However, for Dutch institutions, the primary use case seems to be access to the PubMed article database. No eduPersonAssurance values are required for read-only access to PubMed, so you can connect the service without releasing this attribute.
• SURF Research Access Management (SRAM): SRAM is a service that facilitates secure access to online resources for research collaborations. The following REFEDS Assurance Framework value is recommended for access:
  • https://refeds.org/assurance/ID/eppn-unique-no-reassign
• MyAccessID (European Supercomputer LUMI):  This service manages access to the LUMI European supercomputer. In the future, it plans to require accounts to meet at least the following REFEDS Assurance Framework values (but this is not currently enforced):
  • https://refeds.org/assurance/ID/unique
  • https://refeds.org/assurance/ID/eppn-unique-no-reassign
  • https://refeds.org/assurance/IAP/medium or
  • https://refeds.org/assurance/IAP/high

Below, you can find guidance on when to assign these values.

Determining Values for eduPersonAssurance

There are multiple possible values. This guide focuses on values known to be required by service providers (SPs). However, based on the linked specification, you can also define other values. This advice is based on the specification and incorporates the requirements for Identity Providers in SURFconext, as stated in Appendix IX (Bijlage IX).

Reassignment (Identifier Reuse)

Reassignment refers to whether an identifier previously assigned to one person can later be reassigned to someone else. For example, if Jan Jansen had the identifier jjansen@univh.nl, left the institution, and later another Jan Jansen joined, would he also get jjansen@univh.nl? If identifiers are reassigned, the new "owner" may inherit access rights or files from the previous user. This does not apply if the same person returns and reclaims their previous identifier.

https://refeds.org/assurance/ID/eppn-unique-no-reassign

Identity Verification

This value indicates how thoroughly an account holder's identity has been verified.

Your account doesn't have these attributes. What do you do?

If your institution does not release a required eduPersonAssurance attribute, contact your institution's IT department or identity management team. Explain which service you want to use and why this attribute is essential for your access. Reference the service's requirements and explain how this affects your work or research. You can refer to this page for more details for the IAM team.