Authentication
Login via LSO using LONA: LSO Authentication Flow
PrivacyLevel vs. AuthLevel
We differ between PrivacyLevel and AuthLevel but both are using the same scale. So it is possible to compare them.
- The PrivacyLevel has to be defined by the Owner of the information or document. The Owner has to classify his document considering the data privacy.
- The AuthLevel is set during the authentication process based on the authentication method.
The Application is now responsible to compare the PrivacyLevel of the information and the AuthLevel or the current login.
Only if the PrivacyLevel is equal or less than the AuthLevel the information is allowed to be shown.
| PrivacyLevel | Value | AAL | AuthLevel |
|---|---|---|---|
| 200 | 3 | PKI Card | |
| Secret / Geheim | 150 | 3 | |
| 100 | 2 | RSA SecurID | |
| 100 | 2 | VSC (Virtual Smart Card) | |
| 100 | 2 | (B2B)-TOTP | |
| Confidential / Vertraulich | 80 | 2 | |
| 10 | 1 | Basic-Auth / User-Password | |
| Internal / Intern | 5 | 1 | |
| Public / Öffentlich | 0 | 0 | 1) |
1) Unauthenticated requests will not be extended by an identity token. So you will never find value 0 or AAL-0 in a B2B JWT Identity Token.
Stepup Authentication
If the AuthLevel is insufficent for the required PrivacyLevel the application has different options how to react. The simplest one is the show a Forbidden Error Page like 403.shtml. The more user frindly way is to give the user a chance to reauthenticate with an higher AuthLevel (Step Up Auth). The LSO-Proxies are providing a special reauth-URL for this. The reauth needs to parameters: the required PrivacyLevel an the URL where to go after the reauthentication. The reauthentication dialog will only offer authentication methods satisfying the given minAuthLevel:
/reauth?minAuthLevel=<required PrivacyLevel>&url=<redirectURL>