Minimal Level of Assurance (LoA)

Slides:



Advertisements
Similar presentations
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
Advertisements

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Updates Licia Florio, TERENA REFEDS Meeting 5 Sept 2012.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Innovation through participation eduGAIN policy: A worm report TF-EMC2 Vienna Mikael Linden, CSC The worm farmer.
Authentication and Authorisation for Research and Collaboration Mikael Linden AARC all hands Milan Authentication and Authorisation.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Authentication and Authorisation for Research and Collaboration David Groep AARC All Hands meeting Milano Policy and Best Practice.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.
Networks ∙ Services ∙ People Daniela Pöhn REFEDS EWTI, Vienna IdPs and Federations Service Aspects of Assurance SA5T1.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos David Groep 9 th FIM4R Meeting The AARC Project.
Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.
ELIXIR AAI Michal Procházka, Mikael Linden, EGI VC 15 March 2016.
IGTF Generalised Assurance comments by federation operators with a SAML background September 19-21, 2016 CERN, Geneva, CH.
SCI & Sirtfi David Kelsey (STFC-RAL) EGI Conference, Lisbon 19 May 2015.
The IGTF to eduGAIN Bridge
Building Trust for Research and Collaboration
Introduction to AAI Services
WLCG Update Hannah Short, CERN Computer Security.
David Kelsey STFC-RAL 4th WISE workshop, Nikhef 27 March 2017
Boosting AAI for research and collaboration
Cross-sector and user-centric AAI
TrustTech - Task Overview (GN4-2 JRA3-T3)
The Policy Puzzle Many groups and (proposed) policies, but leaving many open issues AARC “NA3” is tackling a sub-set of these “Levels of Assurance” –
LoA Policy Harmonisation and Best Practices
EGI Updates Check-in Matthew Viljoen – EGI Foundation
AARC Update What’s been happening in AARC which matters for GÉANT
User Community Driven Development in Trust and Identity
Bring the WLCG federation Home
Policy and Best Practices … the Story So Far
eduTEAMS platform for collaboration Niels Van Dijk
LoA Policy Harmonisation and Best Practices
Wrap up Licia Florio AARC Coordinator
Policy and Best Practices … the Story So Far
AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)
GÉANT 4-2 JRA3 T1 Something with Federations and Campus VC
Update on FIM4R David Kelsey
Boosting AAI for research and collaboration
The AARC Project Licia Florio (GÉANT) Christos Kanellopoulos (GRNET)
The AARC Project Licia Florio AARC Coordinator GÉANT
LoA Policy Harmonisation and Best Practices
GÉANT 4-2 JRA3 T1 and T2 Federations and Campus (CaFe) e-Infrastructures and Service Providers (RASP) Daniela Pöhn JRA3 T1 LRZ/DFN-AAI Technology Exchange.
Frameworks for harmonized policies and practices
Policy in harmony: our best practice
Thursday pilot session: 7-minutes
Towards an Initial LoA Baseline Assurance Profile?
Towards hamonized policies and best practices
Policy and Best Practice … in practice
Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)
AAI For Researchers Licia Florio AARC Project Coordinator GÉANT DI4R
AARC Blueprint Architecture and Pilots
Supporting communities with harmonized policy
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
OIDC Federation for Infrastructures
AARC2 JRA1 Update Nicolas Liampotis
AAI Architectures – current and future
WP3: Policy and Best Practice Harmonisation
Community AAI with Check-In
GÉANT 4-2 JRA3 Daniela Pöhn JRA3 T1 LRZ/DFN-AAI
Community Engagement & Competence Centre
Tom Barton (WG Chair) University of Chicago and Internet2
Federated Incident Response
REFEDS Assurance Suite
Presentation transcript:

Minimal Level of Assurance (LoA) Recommendation for low-risk research use cases Hannah Short GÉANT Symposium, Vienna 9 March 2016

AARC Authentication and Authorisation for Research and Collaboration Support the collaboration model across institutional and sector borders Build on the many existing and evolving components Technical and Policy goals To develop an integrated AAI built on production services (i.e. eduGAIN) To define an incident response framework to work in a federated context To agree on a LoA baseline for the R&E community To pilot new components and best practices guidelines in existing production services

Level of assurance Research community interviews done Interviewed 6 research infrastructures CLARIN (language research) DARIAH (arts and humanities) ELIXIR (life science) LIGO (physics) photon/neutron facilities (physics) WLCG (physics) Interviewed 2 e-infrastructures (cyberinfrastructures) EGI PRACE Interview results: https://wiki.geant.org/x/nQHbAg

Minimum LoA recommendation (30 Nov 2015) The accounts in the Home Organisations must each belong to a known individual Persistent user identifiers (i.e., no reassignment of user identifiers) Documented identity vetting procedures (not necessarily face-to-face) Password authentication (with some good practices) Departing user’s eduPersonAffiliation must change promptly Self-assessment (supported with specific guidelines) The document: https://wiki.geant.org/x/wIEVAw

Community consultation 11/2015-1/2016 Received 25 comments (mostly from federation operators) https://wiki.geant.org/download/attachments/47907229/MinimalLoArecommendation-- comments.pdf ”Is this a report feeding the actual profile work that will start” ”Need to involve more research communities to make them committed” ”This is an approximation of InCommon Silver which hasn’t gotten traction. Why would this?” Many comments expected more detail Unique identifier (”Don’t rule out ePPN”) Password requirements eduPersonAffiliation and departing users Mappings to existing federations policies

Spin-off: Self-assessment tool Self-assessment proposed as the approach for ”IdP audit” A web based tool to support the IdP admins in the self-assessment Presents the specific requirements as a check-list The IdP admin goes through the list one-by-one The tool evaluates the answers If ”pass”, federation operator adds an Entity Category tag Software Requirements specification Together with Sirtfi https://docs.google.com/document/d/10kguCdxWn38z_EGRnrdjCI4GSeO44zFG eXWHGmzz27o/edit

hannah.short@cern.ch

Service Aspects of Assurance IdPs and Federations Daniela Pöhn SA5T1 Subitem Service Aspects of Assurance Research Assistant DFN/LRZ GÉANT Symposium, Vienna 2016-03-09

Results: Survey on federations https://wiki.geant.org/display/gn41sa5/Federation+survey Results: LoA in place with contracts Identity Management Practice Statement, but not enforced Documented, but not enforced Most federations/IdPs do not want a higher LoA Impacts on adopting LoA: between none till high costs Hub-and-spoke federations have more control

Survey on identity provider https://wiki.geant.org/display/gn41sa5/IdP+survey Results: Individual accounts Most IdPs have an identity vetting process, but not documented Most IdPs have certain password qualities (Almost) no second-factor authentication Update of account/affiliation between less than 2 weeks and more than 6 months Partly documented Partly Incident Response Process

Survey on identity provider

Survey on identity provider

Survey on identity provider

Survey on identity provider

Baseline requirements Individual accounts Persistent, non re-assigned identifiers Documented identity vetting, which is not necessarily face to face Password authN with some good practices Departing user’s ePA changes promptly Self-assessment of LoA supported with specific guidelines

Possible costs Without much manpower or high costs: Unique identifies Persistent, not re-assigned identifiers (Internal) documentation of the vetting process Other aspects seem to be more expensive or time consuming: Documentation of all processes Promptly update of information Second-factor authentication Audit

Potential solutions Self-assessment template / tool: GÉANT web tool including recommendations and best practices (combined with SIRTFI and other monitoring/testing tools), For IdPs, who need a higher LoA: Peer (pairwise) auditing of IdPs Second-factor authentication: GÉANT could offer it as a service or procure Duo- type solution for community

GN4 Phase 2 Assurance within JRA3 T2 Web tool (together with SIRTFI?) Requirements for SIRTFI currently gathered in REFEDS WG Research is global, so assurance should be global as well Importance of coordination with InCommon and other parties Assurance might get an own WG

Do you have any questions? daniela.poehn@lrz.de

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.