Challenge
Many municipalities and independent schools, so-called school principals, are today connected to the School Federation for flexible authentication against the various applications and services that both teachers, students and other school staff need to use for their daily activities. The integration with Skolfederation requires the principal to have software for authentication, a so-called Identity Provider, IdP. There are many different providers of an IdP on the market, for example Microsoft ADFS, Microsoft Entra, Google, Shibboleth IdP, Fortified ID Integrity and more. The Digital National Exam (DNP) service from the Swedish National Agency for Education is a service for handling national digital tests. DNP is connected to the School Federation. What is special about DNP is that it places new requirements on an IdP for authentication:
The IdP must be able to authenticate teachers and school staff, at a set level of trust (Level of Assurance). Requirements are placed on an LOA2 or LOA3 method approved by DIGG. At the time of writing, 2024-03-19, these methods are approved:
LOA2: Freja, eduID
LOA3: AB Svenska Pass, BankID, Freja+, Freja OrganisationsID, EFOS, SITHS
The IdP must be able to trust signal the correct LOA
The IdP must be able to control flow based on information in an authentication request, that is, to be able to control which LOA level the user must be identified at, based on what was requested by the service.
Solution
With Integrity from Fortified ID, the Head of School can solve the requirements for authentication against DNP. There are several alternative solutions. For a school principal who does not have an IdP, it is very easy to install and configure Fortified ID Integrity as a "standalone" IdP, configure authentication methods, user directories and attribute information required by a service (Service Provider). Today, most school principals already have an IdP connected to the School Federation. Many of the principals today use Microsoft Entra, Microsoft ADFS or Google as IdP. Some principals can also have several user sources, for example it is common for teachers to be found in Entra and students in Google. The challenge with these IdPs is that they do not support Swedish methods that may be required for a service! With Fortified ID Integrity, the Head of School can continue to use their existing IdP to authenticate users, school staff and students. Fortified ID Integrity is added to the flow as a "proxy / broker". Fortified ID Integrity will detect if an authentication request contains LOA2 or LOA3 level login requirement information. In that case, the user, after undergoing regular authentication/single sign on against the existing IdP, will be asked for authentication using a method on LOA2/LOA3, a so-called step-up authentication. After identification, Fortified ID Integrity will signal the level of trust in the certificate which is then sent back to the DNP. The Fortified ID solution comes with:
Large range of e-identifications Support for all DIGG approved LOA2 and LOA3 methods. The school principal can choose which, or which, methods teachers and school staff should be able to choose. Dealer of BankID and Freja OrgID.
Flexibility With flexible configuration options, Fortified ID Integrity can both signal trust according to requirements and control when step-up authentication is required, based on incoming information in an authentication request, attributes from existing idp, etc.
Competence Our experts have extensive experience with federations both at national and international level, login methods and authentication levels. Fortified ID is always there as support to ensure a good and quality delivery.
Architecture options In the cloud or on-premise. Since the solution does not require communication with user directories, it can be operated in the cloud. It is also possible to install the solution locally, i.e. on-premise.
Speed and simplicity Standardized packaging for quick and easy implementation.
Other
The integration between Fortified Integrity and various customers' authentication solutions takes place via standardized SAML2 flows.
Read more
VIDEO: Login to digital nationwide exams with approved e-identification (SWEDISH) PDF: Fortified ID Integrity for digital nationwide exams (SWEDISH)