Remove the current implementation of eHerkenning/eIDAS level selection per form

[joeribekker]

Since this works completely different compared to DigiD. See ticket #3968 for adding it properly, but let's remove it for now since its not working at all.

[joeribekker]

Refinement: We should check with Signicat how it should work: Multiple service IDs in the service catalog or can we specify a higher LoA in the request than that in the service catalog?

[SilviaAmAm]

Question

In the service catalogue, inside the ServiceDefinition node, there is a AuthnContextClassRef node where the LoA is specified.
In the authentication request, there can be a RequestedAuthnContext node where also a AuthnContextClassRef with the LoA can be present.

From this documentation (https://afsprakenstelsel.etoegang.nl/display/as/Interface+specifications+HM-AD) I see:

When RequestedAuthnContext is included in the request, then it must contain a Level of assurance (AuthnContextClassRef) 
equal to or lower than the level of assurance included in the Service catalog for the requested service.

Is this functionality supported by Signicat?

Signicat answer
We support both [LoA in Service catalogue and AuthnRequest] place when a customer/implementationpartner sets this up.

However, we advise to let the ServiceCatalog to determine which LOA is going to be used, and not set it in the Authn request. This will prevent any confusion on which LOA should be mandatory.

i.e.: When the service has LOA 3 in the ServiceCatalog, it is not possible to set a lower LOA in the Authn.

Conclusion
I think then that we should remove this functionality? Since we supported setting a LoA higher than in the service catalogue (but this is not in agreement with the standard?) but Signicat does not support setting a lower LoA.

[joeribekker]

Refinement: We checked and Signicat (preprod) allows us to login with a lower LoA than specificied in the service catalog (we logged in with LoA2 while the service catalog states LoA2+... and LoA2 is not even allowed anymore..)

[joeribekker]

Refinement:
a) Ask with the standard whats the reasoning behind allowing a lower level to be sent than specified in the service catalog.
b) Who needs to validate the LoA that a user is logged in (see below)

ServiceCatalog: LoA2+
Form sents: LoA2+
User uses: LoA2

What happens? Will the broker stop the user or do we get the user with artificat LoA2 and stop the user ourselves?

[SilviaAmAm]

More LoA info: https://afsprakenstelsel.etoegang.nl/display/as/Interface+specifications+and+the+interpretation+of+LOAs
Questions sent to Signicat on 18-03

[SilviaAmAm]

Conclusion:
We can't set the LoA higher in the AuthnRequest because it is not conform to the standard.
We can't set the LoA lower, because it is discouraged by Signicat.
Therefore, we should remove this feature.