networks ∙ services ∙ people daniela pöhn refeds ewti, vienna idps and federations service...
DESCRIPTION
Networks ∙ Services ∙ People https://wiki.geant.org/display/gn41sa5/Federation+survey Results: LoA in place with contracts Identity Management Practice Statement, but not enforced Documented, but not enforced Most federations/IdPs do not want a higher LoA Impacts on adopting LoA: between none till high costs Hub-and-spoke federations have more control 3 Survey on federationsTRANSCRIPT
Networks Services People ∙ ∙ www.geant.org
Daniela Pöhn
REFEDS meeting @ EWTI, Vienna
IdPs and FederationsService Aspects of Assurance
2015-12-01
SA5T1 Subitem Service Aspects of Assurance
Research Assistant LRZ/DFN-AAI
Networks Services People ∙ ∙ www.geant.org
2
FIM4R: higher LoA Federations: lower LoA
Analysis of • user communities (AARC) and • identity providers and federations (GÉANT)
Investigations of the business, e.g., benefits and implications Assurance schemes Achievability / expense of development Cost and impact of adopting assurance schemes …
End goal: some sort of cost-analysis
Motivation
Networks Services People ∙ ∙ www.geant.org
3
https://wiki.geant.org/display/gn41sa5/Federation+survey
Results:• LoA in place with contracts• Identity Management Practice Statement, but not enforced• Documented, but not enforced• Most federations/IdPs do not want a higher LoA • Impacts on adopting LoA: between none till high costs• Hub-and-spoke federations have more control
Survey on federations
Networks Services People ∙ ∙ www.geant.org
4
https://wiki.geant.org/display/gn41sa5/IdP+survey
Results:• Individual accounts• Most IdPs have an identity vetting process, but not documented• Most IdPs have certain password qualities• (Almost) no second-factor authentication• Update of account/affiliation between less than 2 weeks and more than 6 months• Partly documented• Partly Incident Response Process
Survey on identity provider
Networks Services People ∙ ∙ www.geant.org
5
Without much manpower or high costs:• Unique identifies• Persistent, not re-assigned identifiers• (Internal) documentation of the vetting processOther aspects seem to be more expensive or time consuming:• Documentation of all processes• Promptly update of information• Second-factor authentication• Audit
Possible costs
Networks Services People ∙ ∙ www.geant.org
6
• Individual accounts• Persistent, non re-assigned identifiers• Documented identity vetting, which is not necessarily face to face• Password authN with some good practices• Departing user’s ePA changes promptly• Self-assessment of LoA supported with specific guidelines
Baseline requirements
Networks Services People ∙ ∙ www.geant.org
7
• Self-assessment template / tool: • GÉANT web tool• including recommendations and best practices• (combined with SIRTIFI and other monitoring/testing tools),
• For IdPs, who need a higher LoA:• Peer (pairwise) auditing of IdPs• Second-factor authentication: GÉANT could offer it as a service or procure Duo-type solution for community
Potential solutions
Networks Services People ∙ ∙ www.geant.org
8
• Are baseline requirements ok?• Individual accounts• Persistent, non re-assigned identifiers• Documented identity vetting, which is not necessarily face to face• Password authN with some good practices• Departing user’s ePA changes promptly• Self-assessment of LoA supported with specific guidelines
• How to technically signal compliance with baseline requirements?• …
Discussions
Networks Services People ∙ ∙ www.geant.org
9
Thank you
Networks Services People ∙ ∙www.geant.org
This work is part of a project that has applied for funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 691567 (GN4-1).
Do you have any questions?