Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

OneWelcome Identity Platform
- Explore Thales Docs

IDAAS core
User journey orchestration
Consent and preference management
Delegated user management
- Getting started
- Roles
- Rules
- User management
- Self service page
- Data
- APIs
- Apps
- Jobs
- Reports
Externalized authorization
Identity broker
Mobile identity
- Mobile identity - Access component
- Mobile identity - Tulip
Mobile SDK
API references
Release notes and FAQ
Integrations

All

All

IDAAS core

Assurance levels

IDAAS core
Getting started with the OneWelcome Identity Platform
Manage administrators
Authentication
- Authentication FAQ
- Password migration
Events
- Public event payload taxonomy
- Export events
IDAAS core - Access
- Securing resources
- Client authentication methods
- Client application configuration
  - Scope configuration
  - Identity providers
  - Resource gateway configuration
  - Scopes API
  - Scope Verification Service
  - Identity provider API
  - Protected data in single-page apps
- OAuth 2.0 and OpenID Connect
  - OpenID Connect
  - OpenID Connect authentication
  - OpenID Connect scopes and claims
  - User claims and attributes
  - OpenID provider configuration
  - ID token encryption
  - Web clients
    - Resource owner password credentials
    - Uniquely identify guests
    - Migration of web clients with hashed secrets
    - Web clients API
  - Tokens
    - Access tokens
    - ID tokens
    - Refresh tokens
    - Access token API
    - Token introspection API
  - iFrame session monitoring
    - Relying party iFrame
    - End session API
    - Session management APIs
  - OAuth endpoints
  - OAuth configuration
  - Discovery API
  - JSON Web Key Set API
  - User information API
  - OAuth consent API
  - OAuth Token Exchange
- SAML Applications
- Custom authenticators
- General system properties
  - Configure system features
  - Session configuration
  - CORS support
  - Extension engine properties
  - SAML service provider configuration
  - API clients API
  - Responsible disclosure policy
- Access events
  - Audit events
  - Audit log
  - Events API
  - Security events
- Web hooks
  - Web hooks configuration API
- User session API
IDAAS core - Tulip
- Tenants and brands
- Identity store and data model
  - SCIM API
  - SCIM schemas
  - SCIM user management
  - SCIM user attributes
  - SCIM API versions
- Credential store
  - Email address management
  - Password management
  - Password policies
- OAuth 2.0 and OpenID Connect
  - OAuth 2.0 and OpenID Connect setup
  - Device flow
  - OAuth client authentication methods
  - Proof Key for Code Exchange
  - Step-up authentication
  - OAuth 2.0 and OpenID Connect API
  - Dynamic client registration API
  - OAuth OIDC error handling
- Account lockout
- Session management
- Event store
- API rules
- Reports
- Email overview
- Core administration experience
  - Audit logs
- Locales and languages
Assurance levels
Customize the user interface

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

OneWelcome Identity Platform
IDAAS core
Assurance levels

Assurance levels

The OneWelcome Identity Platform uses assurance levels and authentication context class reference (ACR) values to indicate the strength and security of authentication methods. These concepts help ensure that users are properly authenticated and that access to resources is granted based on the appropriate level of trust.

Assurance levels

Assurance levels, also known as levels of assurance (LOA) or service levels, indicate the degree of confidence in the trustworthiness of a user or transaction. They define the strength of the identity proofing, credential management, and authentication processes that are used. Higher assurance levels imply a greater degree of certainty that a user is who they claim to be.

Define assurance levels

In the OneWelcome Identity Platform, you define the assurance levels on the console or with the Access Config and End-User APIs.

Each assurance level includes:

a name
a level (a number between 0 and 100)

You can then use those assurance levels in authentication journeys, where you can select the assurance level that each authentication method in a journey provides.

On the OneWelcome Identity Platform console, select Applications > Authentication assurance levels.
Select Add assurance level.
On the Add assurance level page, enter a Name for the assurance level.

The name is used in SAML and OIDC authentication requests.
Enter a Level between 0 and 100.

Higher numbers indicate a stronger assurance, but the level doesn't necessarily represent a security strength.
Select Save.

Step-up authentication with assurance levels

Authorization requests can require a higher assurance level when needed.

You can provide the assurance level for both OIDC and SAML requests:

OIDC requests use the acr_values parameter.
SAML requests use the AuthnContextClassRef element.

These parameters to allow you to initiate step-up authentication, but also to request a specific assurance level during the first authentication.

The OIDC relying party (RP) or SAML service provider (SP) then uses the assurance level in the response to determine which resources the user is authorized to access, based on the assurance level that the authentication method provides.

Supported types of assurance levels

The OneWelcome Identity Platform supports the following types of assurance levels:

Special purpose assurance levels: These are assurance levels that have special and well-defined functionality in the platform:
- Authentication journey selection: Use these assurance levels to select a specific authentication journey. Each authentication journey has a unique identifier. Each authentication method in an authentication journey can specify the assurance level that the user attains when they authenticate successfully with that method.
The reserved assurance level for authentication journeys is: urn:onewelcome:ujo:v1:auth:journey:id.

For example: urn:onewelcome:ujo:v1:auth:journey:id:3c1bd2cd-d3b9-4e9b-9b1f-afc6ec8fab57.
- IDP selection: Use these assurance levels to select an identity provider (IDP) in the Identity Broker service, such as: urn:onewelcome:broker:v1:apple:auth. You can specify the required assurance level for each IDP variant.
Custom assurance levels: You can add your own assurance levels. Custom assurance levels cannot start with urn:onewelcome.

Default assurance levels

Assurance levels can vary based on the combination of authentication methods that are used and the strength of each method.

You can configure the default assurance levels for the following:

Web clients (Default ACR value)
SAML applications (Default Authentication Context Class References).

Both of these can include multiple assurance levels.

On this page

OneWelcome Identity Platform

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Support Contacts
Legal
- End User License Agreement
- Terms of Service

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com