Send eduPersonAssurance matching the name sent

[phavekes]

Short version

When the user prefers to use the names validated by an external connection rated as https://refeds.org/assurance/IAP/medium, we should send the value https://refeds.org/assurance/IAP/medium in the eduPersonAssurance (ePA), and not https://refeds.org/assurance/IAP/high , even if a validation with level https://refeds.org/assurance/IAP/high is available.

Scenario explained

This can happen when a user first uses iDIN (IAP high), to validate her eduID account name. Then she added her institute (IAP medium), and prefer her name from the institute - when asked. Later, when she shares her attributes via SAML, eduID sent the name that is validated by a IAP medium method, with an IAP high assurance. While the account is also IAP high validated, it might be confusing, since the name (which is probably the same) is officially not IAP high assured.

Testing scenario

• create a new eduID
• Validate your account on mijn.{domain}
• use Mujina to add a validated first and last name, include the eduPersonAssurance value of https://refeds.org/assurance/IAP/high
• use oidc-playground to validate the validated names and check that the epA https://refeds.org/assurance/IAP/high is sent
• use Mujina to add a role, include the eduPersonAssurance value of https://refeds.org/assurance/IAP/medium. Use a different first and lastname. Select these names as preferred when prompted.
• use oidc-playground to validate the last validated names and the epA https://refeds.org/assurance/IAP/medium is sent (not high!)