Configuring Support for acr Claims and Values

The ActivID Appliance server supports acr claims in ID Token, as well as acr_values, as a parameter in the authentication request, so that users are presented with the correct screens at authentication (for example, password followed by an MFA option).

The acr claims/values correspond to a Level of Assurance (LoA) Level of Assurance (LoA) is the level of confidence in the claimed identity of a user during authentication See also ACR setting in the authentication policies as defined in the NIST's special publication 800-63-3 (that is, values of 1, 2 or 3 for Authentication Assurance Level (AAL)) and the more detailed 800-63B.

The OpenID Connect specification promotes the use of the former over the latter providing several samples with either the acr_values or claims parameter.

The default LoA value depends the authentication type. As a summary:

Authentication Policy Type LoA Value

UP

1

MD

1

OTP

1

PKI

2

PUSH

2

OOB

1

You can update these values as required. For example, if you are using hardware devices or tiered-authentication, you can increase the LoA value:

  • As the NIST's general guideline for multi-factor authentication (with independent factors) is level 2, most tiered-authentication policies would also be 2.
  • In addition, FIPS 140-2 validated hardware device (on top of MFA) is level 3 so PKI would be set to 2, but if you are enforcing the use of PIV smart cards, it would increase to 3.

When adding a new authentication policy, this field is empty and you can enter a value corresponding to your organization’s requirements (such as urn:openbanking:psd2:ca and urn:openbanking:psd2:sca) as defined in the Open Banking implementation guide.

Note: The Level Of Assurance field is OPTIONAL and should contain a STRING value.

Topics in this section: