Presentation is loading. Please wait.

Presentation is loading. Please wait.

Minimal Level of Assurance (LoA)

Published byBasil Barnett Modified over 6 years ago

Similar presentations

Presentation on theme: "Minimal Level of Assurance (LoA)"— Presentation transcript:

1 Minimal Level of Assurance (LoA)
Recommendation for low-risk research use cases Hannah Short GÉANT Symposium, Vienna 9 March 2016

2 AARC Authentication and Authorisation for Research and Collaboration
Support the collaboration model across institutional and sector borders Build on the many existing and evolving components Technical and Policy goals To develop an integrated AAI built on production services (i.e. eduGAIN) To define an incident response framework to work in a federated context To agree on a LoA baseline for the R&E community To pilot new components and best practices guidelines in existing production services

3 Level of assurance Research community interviews done
Interviewed 6 research infrastructures CLARIN (language research) DARIAH (arts and humanities) ELIXIR (life science) LIGO (physics) photon/neutron facilities (physics) WLCG (physics) Interviewed 2 e-infrastructures (cyberinfrastructures) EGI PRACE Interview results:

4 Minimum LoA recommendation (30 Nov 2015)
The accounts in the Home Organisations must each belong to a known individual Persistent user identifiers (i.e., no reassignment of user identifiers) Documented identity vetting procedures (not necessarily face-to-face) Password authentication (with some good practices) Departing user’s eduPersonAffiliation must change promptly Self-assessment (supported with specific guidelines) The document:

5 Community consultation 11/2015-1/2016
Received 25 comments (mostly from federation operators) comments.pdf ”Is this a report feeding the actual profile work that will start” ”Need to involve more research communities to make them committed” ”This is an approximation of InCommon Silver which hasn’t gotten traction. Why would this?” Many comments expected more detail Unique identifier (”Don’t rule out ePPN”) Password requirements eduPersonAffiliation and departing users Mappings to existing federations policies

6 Spin-off: Self-assessment tool
Self-assessment proposed as the approach for ”IdP audit” A web based tool to support the IdP admins in the self-assessment Presents the specific requirements as a check-list The IdP admin goes through the list one-by-one The tool evaluates the answers If ”pass”, federation operator adds an Entity Category tag Software Requirements specification Together with Sirtfi eXWHGmzz27o/edit

7

8 Service Aspects of Assurance
IdPs and Federations Daniela Pöhn SA5T1 Subitem Service Aspects of Assurance Research Assistant DFN/LRZ GÉANT Symposium, Vienna

9 Results: Survey on federations
Results: LoA in place with contracts Identity Management Practice Statement, but not enforced Documented, but not enforced Most federations/IdPs do not want a higher LoA Impacts on adopting LoA: between none till high costs Hub-and-spoke federations have more control

10 Survey on identity provider
Results: Individual accounts Most IdPs have an identity vetting process, but not documented Most IdPs have certain password qualities (Almost) no second-factor authentication Update of account/affiliation between less than 2 weeks and more than 6 months Partly documented Partly Incident Response Process

11 Survey on identity provider

12 Survey on identity provider

13 Survey on identity provider

14 Survey on identity provider

15 Baseline requirements
Individual accounts Persistent, non re-assigned identifiers Documented identity vetting, which is not necessarily face to face Password authN with some good practices Departing user’s ePA changes promptly Self-assessment of LoA supported with specific guidelines

16 Possible costs Without much manpower or high costs: Unique identifies Persistent, not re-assigned identifiers (Internal) documentation of the vetting process Other aspects seem to be more expensive or time consuming: Documentation of all processes Promptly update of information Second-factor authentication Audit

17 Potential solutions Self-assessment template / tool: GÉANT web tool including recommendations and best practices (combined with SIRTFI and other monitoring/testing tools), For IdPs, who need a higher LoA: Peer (pairwise) auditing of IdPs Second-factor authentication: GÉANT could offer it as a service or procure Duo- type solution for community

18 GN4 Phase 2 Assurance within JRA3 T2 Web tool (together with SIRTFI?) Requirements for SIRTFI currently gathered in REFEDS WG Research is global, so assurance should be global as well Importance of coordination with InCommon and other parties Assurance might get an own WG

19 Do you have any questions?

Download ppt "Minimal Level of Assurance (LoA)"

Similar presentations

Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service 2012-02-27 Federated Identity Systems.

Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Updates Licia Florio, TERENA REFEDS Meeting 5 Sept 2012.

Updates Licia Florio, TERENA REFEDS Meeting 5 Sept 2012.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.

Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Innovation through participation eduGAIN policy: A worm report TF-EMC2 Vienna 17.2.2010 Mikael Linden, CSC The worm farmer.

Innovation through participation eduGAIN policy: A worm report TF-EMC2 Vienna Mikael Linden, CSC The worm farmer.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Mikael Linden AARC all hands Milan Authentication and Authorisation.

Authentication and Authorisation for Research and Collaboration Mikael Linden AARC all hands Milan Authentication and Authorisation.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration David Groep AARC All Hands meeting Milano Policy and Best Practice.

Authentication and Authorisation for Research and Collaboration David Groep AARC All Hands meeting Milano Policy and Best Practice.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.
Networks ∙ Services ∙ People Daniela Pöhn REFEDS EWTI, Vienna IdPs and Federations Service Aspects of Assurance 2015-12-01 SA5T1.

Networks ∙ Services ∙ People Daniela Pöhn REFEDS EWTI, Vienna IdPs and Federations Service Aspects of Assurance SA5T1.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team

Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos David Groep 9 th FIM4R Meeting The AARC Project.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos David Groep 9 th FIM4R Meeting The AARC Project.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.

Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.
ELIXIR AAI Michal Procházka, Mikael Linden, EGI VC 15 March 2016.

ELIXIR AAI Michal Procházka, Mikael Linden, EGI VC 15 March 2016.

Similar presentations

Ads by Google