2.5 Trust level concept
Providers of HIN-protected web applications (ACS/FS) can choose between three trust levels. The AGW enables authentication at all three trust levels:
| Trust level | Authentication | Description | Information from the application provider's perspective |
|---|---|---|---|
| 1 | User authentication in the institutional active directory. | The user is known and authenticated within the institution. | The application provider receives information on which organisation is accessing the application, but not which specific person. |
| 2 | User authentication in the institutional active directory. | Same as for trust level 1, plus: The user has a HIN identity and has linked this to the active directory user. | The application provider receives information about the specific person who is accessing the application. However, the person has not been strongly authenticated. |
| 3 | Strong authentication (Two-factor authentication) | Same as for trust level 2, plus: The user's HIN identity has been strongly authenticated. | The application provider receives information about the specific person who is accessing the application and knows that he has been strongly authenticated. |
As soon as the AGW has been installed, all users in the organisation may use trust level 1 applications. If an application requires a higher trust level, a step-up process is initiated. This can look something like the following example:
The active directory user john.smith (John Smith) has linked his HIN identity jsmith1. This enables him to access trust level 2 applications without any additional measures. However, John Smith now accesses an application that requires trust level 3. John Smith needs a second authentication factor to access trust level 3. The HIN platform therefore sends him an SMS (see 2.6). After completing the mTAN procedure, John Smith is authenticated at trust level 3 for this session and can access the application.