Authentication Presenter Meteor Advisory Team Member Version 1.1.

Slides:

Advertisements

Similar presentations

Welcome To The Intern Management System (IMS)

Advertisements

Intern Management System District Coordinator. Modules New District Coordinator Main Page –Create COEs –View TEs –Status/view/submit RTTs and RTIYs Confirmation.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

AmeriCorps is introducing a new online payment system for the processing of AmeriCorps forms

Installation & User Guide

Financial Aid Management System Account Registration and Confirmation.

Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.

Sonnenglanz Consulting BV 28 September CPA Management Idea’s for large-scale deployments E.J. Van Nigtevecht Sonnenglanz Consulting BV.

101 P C O L S Recommended Role: New and Existing Cardholders How to Redeem a Cardholder Token in AIM I N T E R A C T I V E T U T O R I A L.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

FULBRIGHT-HAYS DOCTORAL DISSERTATION ABROAD (84.022A) G5 APPLICATION SUBMISSION OVERVIEW FOR A FELLOW.

CommonLine Loan Processing. Loan processing n Overview n The CommonLine process n Banner processing n Electronic Funds Transfer processing.

1.  As per Income Tax Department (ITD) circular no. 03/2011 dated May 13, 2011 Companies and Banks are required to issue Form 16A from TIN to their deductees.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

HP Asset Hub Support through Service Central

Information for students Welcome to the S 3 P system. Login to the system by entering your User ID and password. The User ID is the same as your normal.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

How to Make a Loan Payment using “My AmeriCorps Online Account” Compiled from Montana and Washington Campus Compacts.

Session #15 The StudentLoans.gov Experience Julie Aloisio Rosa Trejo U.S. Department of Education.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

FCC Registration Number (FRN) Phase I Enhancements Online FRN Password Reset and ULS FRN Association FCC Commission Meeting Room Washington, D.C. September.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Internet Banking Standard and Standard-Hybrid Registration Intuit Financial Services University Internet Banking Certification Training.

Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.

X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

GFP in the IUID Registry – A Basic Look Walt Clark, CPPM Raytheon IIS.

1 Welcome to GE! The attached presentation has been put together to assist you in completing your required I-9 form through the use of our I-9 wizard.

1 Web Services and E-Authentication Adele Marsh, AES Charlie Miller, RIHEAA Session 35.

1 Georgia Higher Education Conference, March 5, 2003 Presented by: Russell Judd, Great Lakes Educational Loan Services, Inc.

Meteor Implementation Presented by: Tim Cameron & Justin Greenough Technical Track Session.

| 0. | 1 Module 1 - Overview of the processModule 2 - Partner Initiated ChangeModule 3 – Customer Initiated ChangeModule 4 - SummaryAppendix.

Session #23 Hands On NSLDS for Beginners Valerie Sherrer & Andrea Wise.

Lead Management Tool Partner User Guide March 15, 2013

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

1 NCHELP Update Common Record for FFELP & Alternative Loans Meteor The High Performance Channel.

PESC Annual Conference May 7, What is Meteor? Web-based universal access channel for financial aid information Aggregated information to assist.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

1 EXT400 – Corporate Vendor Admin Activities. 2 1.Corporate Vendor Admin Process Overview 2.Complete Vendor Registration 3.Register Plants/Shipping Locations.

Session 52-1 Session 52 Meteor Where it is and where is it going?

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

Meteor & Mapping Your Future: Leveraging Technology to Provide Enhanced Services 3 rd Annual Conference on Technology & Standards May 2, 2006.

TST BOCES SCOOLS (South Central Organization of (School) Library Systems) INTERLIBRARY LOAN PROCESS…..An Overview Created by Michele Barr, TST ILL Login.

ELodgement User Guide July 2009 Level 8, 15 Blue Street, North Sydney NSW 2060 Tel:

Early Childhood Outcomes Indicator 7 Data Collection Application Review.

State of e-Authentication in Higher Education August 20, 2004.

E-Authentication in Higher Education April 23, 2007.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 If you cannot locate an individual in order to add Bill to ID(s) or enable.

NSLDS on the Web Jim Yoder & Andrea Wise Session 3.

NEW USER REGISTRATION. Completing New User Registration activates your profile! Users only need to complete this process once. Let’s get started…

1 E-Authentication and Web Services Charlie Miller, RIHEAA.

E-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Project Presentation to: The Electronic Access Partnership July 13, 2006 Presented by: Tim Cameron, Meteor Project Manager The.

Jan 2002 CSG Meteor Project Real-time access to financial aid information.

E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.

Message Validation, Processing, and Provisioning System (MVPS) Access for Jurisdictions User has SAMS User ID Center for Surveillance, Epidemiology, and.

Oracle Business Intelligence Foundation – Testing and Deploying OBI Repository.

MS Invoice E-Invoice Solution Overview March 2016.

U.S. Department of Agriculture eGovernment Program eAuthentication Initiative eAuthentication Solution Screens Review Meeting October 7, 2003.

How to Create and Start a Test Session

X-Road as a Platform to Exchange MyData

Vendor Management: New Vendor Request Processing

“Real World” METEOR Implementation Issues

Annuity Batch Setup.

NCHELP Update Common Record for FFELP & Alternative Loans Meteor

Presentation transcript:

Authentication Presenter Meteor Advisory Team Member Version 1.1

2 Glossary  FAP - Financial Aid Professional. Individuals, working for schools, who are seeking information on a student's loan in order to advise and assist students with financial aid.  MAT - Representatives from the Meteor sponsors, NCHELP, and partnering organizations responsible for the design and implementation of the Meteor project.

3 Assumptions: – All Index, Access & Data Providers are assigned a Unique ID by the MAT (Meteor Advisory Team). – Within Meteor, students/borrowers are identified by an element called ”Student/Borrower ID" (which is their SSN). – Within Meteor, FAPs are identified by a pair of elements: The OPE ID (identifies their institution) A local user identifier, which is unique within their institution (assigned by the AP).

4 Assumptions: (Cont.) – This presentation will refer to various kinds of Assertions. These are SAML Assertions (see – Currently, there are two possible Roles: Borrower (authorized to see only their own data) FAP (authorized to see data on all students) – An Authentication Assertion identifies the person submitting a QUERY. This may be different from the subject of the query.

5 Being Recognized as an Index, Access & Data Provider – An interested party submits a Meteor Provider Registration Request to the Meteor Advisory Team (MAT). – MAT manually reviews the request. As part of this review the MAT reviews the Access Provider authentication process for each role/group and assigns an assurance level to each.

6 Being Recognized as an Index, Access & Data Provider (cont.) – The MAT assigns a Unique ID to the party (a logical name, distinct from the names used for signing). The new party generates a key pair, and provides a Digital Certificate to the MAT. – The MAT adds the new party to its Registry.

7 User Requesting Information – The user connects to a specific Access Provider (AP) and authenticates. – The AP determines the role for this user (FAP or Borrower) based on local authentication procedures. – The AP software determines the default assurance level that corresponds with the role of the user.

8 User Requesting Information (cont.) – The AP software builds an Authentication Assertion, which includes: The AP’s Unique ID Authentication Process ID Session ID The role of the user A local user identifier If the role is FAP, then this is the OPE ID and a unique local user ID associated with the user If the role is borrower, then this is the borrower's SSN The assurance level

9 User Requesting Information (cont.) – The AP software signs the Authentication Assertion. – The AP software looks in the Registry (cached local copy), and finds all the Index Providers (IP). It builds an IP Query Request for each IP, asking for the Data Providers (DP) with loan information relevant to this student/borrower. This IP Query Request includes: The Unique ID of the AP The Authentication Assertion (the user making the request) The subject of the query

10 User Requesting Information (cont.) – The AP software signs the request, and sends it to each of the Index Providers. – An IP validates the signature on the request. The IP then verifies that the requestor is a trusted speaker (authorized to submit these requests) by looking at the AP's entry in the Registry. The IP then builds an IP Response Message, signs it, and returns it to the AP.

11 User Requesting Information (cont.) – The AP software validates the signature on the response, and verifies that the responder is a trusted speaker. The AP software then builds a consolidated list of Data Providers thought to be holding information about this student/borrower.

12 User Requesting Information (cont.) – The AP software validates each DP against the Meteor Registry to determine that they are an authorized Meteor Data Provider and that the assurance level of the user is at least at the level required by the DP. If the current assurance level is insufficient, then the AP software will present a list and ask the borrower if they have a relationship with any DP listed with a higher level of assurance.

13 User Requesting Information (cont.) – The user may then choose to perform further authentication via a link presented or to view an incomplete set of loan data provided only by those DPs who accept the current level of assurance..

14 User Requesting Information (cont.) – The AP builds a DP Query Request for each DP. This request includes: AP's Unique ID The current Authentication Assertion The subject of the query (Student/Borrower SSN) Request ID (Date, Time, and a sequentially generated sequence number)

15 User Requesting Information (cont.) – The request is signed by the AP software. The requests are sent to each valid Data Provider.

16 User Requesting Information (cont.)  The DP software validates the Access Provider. Validate the AP signature on the Query. DP software verifies that the signer of the Query (AP) is a trusted speaker (via the Meteor Registry).

17 User Requesting Information (cont.) – The DP software validates the Authentication Assertion. – The DP software validates the signature on the Authentication Assertion. – The DP software verifies that the signer is a trusted speaker (via the Meteor Registry).

18 User Requesting Information (cont.) – DP assesses the assurance level. If it is insufficient, then the DP software returns an error to the AP ("Access Denied because of Authn level"). Upon receiving this response, the AP software will recognize that a Registry synchronization problem exists and will check for Central Registration updates. Alternatively, if the assurance level is insufficient, the DP software can choose to ignore the query and not respond.

19 User Requesting Information (cont.) – The DP software will perform standard error checking (eg replay detection -- The combination of Access Provider ID, QuerySubject, Date, and sequence number are compared to the request log to verify this is not a duplicate request.)

20 User Requesting Information (cont.) – The DP software logs the Access Provider request.

21 User Requesting Information (cont.) – The DP software builds a response. DP software indicates no data exist. DP software chooses not to respond. DP software denies data access. DP software populates the data. – The DP software signs the response,and returns it to the AP. – The AP software validates the signature. – The AP software displays the results for the user.

22 Feedback on Authentication addresses of speakers

23 Meteor Ongoing Status For current status and updates: go to and click on the Meteor Project logo.

24 Questions & Feedback