Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager

SURFnet: the Dutch NREN SURFnet is the Dutch National Research & Education Network (NREN) –Services, innovation, knowledge –Not for profit –Task organisation of Stichting SURF = ICT collaboration of higher education & research A small operation serving a large community : –85 employees –160 connected institutions –1 million end-users –Turnover 35 million Euro; 1/3 innovation subsidies SURFnet - We make innovation work 1

OpenConext SURFnet - We make innovation work 2

SAML Federation Types Mesh federation –Each SP connects to (potentially) each IdP SURFnet - We make innovation work 3 Hub-and-Spoke federation –All SPs and IdPs connect to a Gateway (aka SAML Proxy)

SURFconext Platform SURFnet - We make innovation work 4 Federated Authentication Centralized Groups Federated Authentication Hub and Spoke SAML Federation 140 Identity Providers, 240 Service Providers Centralized groups Used for Adhoc collaborations and institutional groups Group Provider Provide group membership information to service providers Receive group data from external group providers

SURFnet - We make innovation work 5 OpenConext

Service Delivery Platform SURFnet - We make innovation work 6 Federated Authentication Attribute based Authorization National Procurement & Licencing Create Trusted Services By combining Identity Federation, privacy and data protection regulations and license deal in one contract between Service Provider and (all) Dutch institutions

Services Dashboard SURFnet - We make innovation work 7

Barriers to strong authentication Deadlock –SPs do not require strong authentication because few IdPs can provide it –IdPs do not implement string authentication because few SP require it Implementation by IdP –High entry cost for a small userbase –Risk of vendor lock-in Implementation by SP –Not their core business –Results is many tokens for users SURFnet - We make innovation work 8

Level of Assurance Strong credential means both –Strong identification –Strong authentication Level of Assurance –1: Low –2: Medium –3: High –4: Very high SURFnet - We make innovation work 9

Step-up authentication as a Service SURFnet - We make innovation work 10

Step-up authentication SURFnet - We make innovation work 11 Create a stronger credential by combining: –Existing SAML authentication with institutional IdP –Authentication with a second factor: Phone, Token, …

Step-up Authentication Flow SURFnet - We make innovation work 12

Determining the required LoA SP can request LoA using RequestedAuthnContext –Each LoA is represented by an URI Step-up gateway configuration –SP requires a minimum LoA for an IdP –IdP requires a minimum LoA for an SP Resulting LoA is communicated using AuthnConext in Response SURFnet - We make innovation work 13

Registration Flow User Self Service registration –User authenticates with institutional IdP –User selects and registers step-up authentication device –User confirms –User receives a registration code User Visits RA –User presents registration code to RA –RA verifies Identity of the user Step-up authentication device SURFnet - We make innovation work 14

SURFnet - We make innovation work 15

SURFnet - We make innovation work 16

SURFnet - We make innovation work 17

SURFnet - We make innovation work 18

SURFnet - We make innovation work 19

SURFnet - We make innovation work 20

SURFnet - We make innovation work 21

SURFnet - We make innovation work 22

Registration Authorities SURFnet - We make innovation work 23

SAML Implementation SURFnet - We make innovation work 24 Interoperable SAML 2.0 Web Browser SSO Profile – Transparent SAML Proxy –Publish SAML Metadata with IDPSSODescriptor –Add supported LoA’s using EntityAttributes Proxy friendly proxy –Sent Scoping with RequesterID

More Information OpenConext is Open for collaboration – – Step-up development – – SURFnet - We make innovation work 25