by Kyle Lewis, RAF WG Chair

REFEDS is pleased to announce that the REFEDS Assurance Framework (RAF) update to version 2.0 has been released. This concludes three years of work by the RAF Working Group (RAF WG).

In late Fall of 2020, the RAF WG identified the need to update RAF 1.0 based on discussions at various conferences and messaging from the National Institutes of Health (NIH) that RAF was being looked at as a potential framework for the international community of federated Credential Service Providers (CSPs) to use as a reasonable equivalent to U.S. National Institutes of Standards and Technology (NIST) requirements levied on U.S. government organizations like the NIH. In particular, the NIH, with the help of InCommon, was looking at RAF’s Identity Assurance Profiles (IAPs) and how they map to the Identity Assurance Levels (IALs) of NIST 800-63-3. These discussions brought light to the fact that RAF 1.0’s IAP definitions relied heavily on selections from three external sources, and CSPs wanting to adopt the RAF faced the challenge of finding and interpreting these sources.

The RAF WG convened with a new charter and specified several objectives for RAF 2.0: tighten definitions of many claims based on field experience with RAF 1.0; provide a single set of criteria defining the IAP claims of low, medium, and high; avoid need for the CSP to refer to one of several external standards; and reduce ambiguity for Relying Parties’ understanding of what each IAP claim actually means.

Charged with this task, the RAF WG began developing RAF 2.0 in January of 2021. Two and a half years later, the RAF WG released the RAF 2.0 draft to public consultation, which ran from June – August 2023. Taking inputs from the public consultation period, RAF 2.0 was finally submitted to the REFEDS Steering Committee in Oct 2023.

But what is RAF and why is it important to federations? To manage risks related to federated access to their services, some RPs in research and education federations must decide how much confidence they need in the assertions made by the CSPs. This framework articulates such assurances and their expression by the Credential Service Provider (CSP) to the RP using common identity federation protocols.

RAF addresses the following components:

  • Identifier Uniqueness – a method to communicate to the RP that the user’s identifier (such as a login name) is unique, and is only bound to one identity in the CSP’s context.
  • Identity Assurance – a method to communicate to the RP how certain the CSP was at enrollment time of the real-world identity of the Person to whom the account was issued. This framework specifies three levels of process-based identity assurance and authenticator management (low, medium, and high) and one risk-based identity assurance claim.
  • Attribute Assurance – a method to communicate to the RP regarding the quality and freshness of attributes (other than the unique identifier) passed in the login assertion.

The full RAF 2.0 specification can be found here.