Silver CA Policy

Frequently Asked Questions (FAQ)

  • When I log on at https://cilogon.org/, why do I see "Level of Assurance: Basic" rather than "Level of Assurance: Silver"?

    • Users will see "Level of Assurance: Basic" if their authentication attributes from their identity provider do not meet the CILogon Silver CA's policy requirements. To check, visit https://test.cilogon.org/testidp/ and Log On. In the list of SAML Attributes shown, confirm that Level of Assurance contains https://refeds.org/assurance/profile/cappuccino and AuthnContextClassRef contains https://refeds.org/profile/sfa or https://refeds.org/profile/mfa. If it doesn't, look in the list of Metadata Attributes for the Support Contact for your identity provider and contact them for assistance.

    • In the case of the XSEDE IdP, Level of Assurance will contain https://refeds.org/assurance/profile/cappuccino only if the user is on an active allocation as shown at https://portal.xsede.org/allocations/usage.

  • How do I configure my IdP so that my users can obtain CILogon Silver certificates?

    • Set an eduPersonAssurance attribute containing the value https://refeds.org/assurance/profile/cappuccino in the SAML authentication assertion to indicate that the assertion has been issued under the conditions of the Cappuccino profile defined in the REFEDS Assurance Framework.

    • Set the SAML AuthnContextClassRef value to https://refeds.org/profile/sfa or https://refeds.org/profile/mfa in the SAML authentication assertion to indicate that the assertion has been issued under the conditions of either the REFEDS Single Factor Authentication Profile or the REFEDS Multi Factor Authentication Profile.

  • What if only a subset of my IdP's users meet the REFEDS Cappuccino level of assurance?

    • It is not necessary for all your users to meet the REFEDS Cappuccino requirements. Set the eduPersonAssurance and AuthnContextClassRef values for the users that do, and they will be able to obtain CILogon Silver certificates. Your other users may obtain CILogon Basic CA certificates instead.

  • Where can I find more information about REFEDS Cappuccino?

    • While https://refeds.org/assurance/profile/cappuccino is the attribute value for indicating compliance with the Cappuccino profile in the REFEDS Assurance Framework, there is no web page at that location. Please visit https://refeds.org/assurance for information about the REFEDS Assurance Framework including the Cappuccino profile.

  • How does REFEDS Assurance relate to IGTF Assurance?

    • The REFEDS Assurance Framework contains explicit mappings to IGTF Assurance for identity proofing. REFEDS "low" maps to IGTF DOGWOOD and IGTF ASPEN, and REFEDS "medium" maps to IGTF BIRCH and IGTF CEDAR. Since the CILogon Silver CA is an IGTF MICS CA, it requires the IGTF BIRCH level of assurance, corresponding to REFEDS "medium" which is part of the Cappuccino profile defined in the REFEDS Assurance Framework.

  • Do I need to change my system configuration to accept CILogon Silver certificates?

    • The CILogon Silver CA is already included in the XSEDE and IGTF certificate packages, so for resource providers that have installed one of these packages, no configuration update is needed to accept CILogon Silver certificates.

    • Certificates from the CILogon Silver CA will contain the following Issuer DN: /DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1

    • For comparison, certificates from the CILogon Basic CA will contain the following Issuer DN: /DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Basic CA 1

    • Certificate subject DNs for both CAs have a prefix of “/DC=org/DC=cilogon/”.

    • Certificates for XSEDE users have subject DNs of the following form: /DC=org/DC=cilogon/C=US/O=XSEDE/CN=EndEntityName UniqueSerialNumber

      • For example: /DC=org/DC=cilogon/C=US/O=XSEDE/CN=Jim Basney C47983

    • A user’s Subject DN does not change when migrating between the CILogon Silver and CILogon Basic CAs, so if a user is added to an XSEDE allocation and thus becomes eligible for a CILogon Silver certificate, then the allocation ends and thus the user is only eligible for a CILogon Basic, the user’s DN will remain the same even though the CA (and Issuer DN) changes.

  • How do I configure my system to require CILogon Silver certificates?

    • Services requiring a higher level of assurance may choose to accept certificates from the CILogon Silver CA (IGTF MICS) but not the CILogon Basic CA (IGTF IOTA) by only including the CA certificate of the former but not the latter in /etc/grid-security/certificates.

    • For example, to install only Classic, MICS, and SLCS CAs from IGTF Debian packages (https://dist.igtf.net/distribution/igtf/current) do:

      • apt-get install ca-policy-igtf-classic ca-policy-igtf-mics ca-policy-igtf-slcs

      • apt-get remove ca-policy-igtf-iota

    • Or to only install the CILogon Silver CA do:

      • apt-get install ca-cilogon-silver

    • On CentOS, to install only Classic, MICS, and SLCS CAs from IGTF packages (https://dist.igtf.net/distribution/current/) do:

      • yum install ca_policy_igtf-classic ca_policy_igtf-slcs ca_policy_igtf-mics

      • yum remove ca_policy_igtf-iota

    • Or to install only the CILogon Silver CA do:

      • yum install ca_cilogon-silver

Revision History