Presentation is loading. Please wait.

Presentation is loading. Please wait.

REFEDS Assurance WG REFEDS meeting 16 June 2019

Published bySuparman Lesmono Modified over 5 years ago

Similar presentations

Presentation on theme: "REFEDS Assurance WG REFEDS meeting 16 June 2019"— Presentation transcript:

1 REFEDS Assurance WG REFEDS meeting 16 June 2019
Mikael Linden, REFEDS assurance wg chair, Jule Ziegler,

2 The assurance challenge
How was the registration/Identity Proofing done? Is that even a shared account Can this user ID be later reassigned to some other person? How fresh is that affiliation information? How was the user authentication done? Home University/Institution Service Provider eduGAIN interfederation Local federation Identity Provider Service Provider ePAffiliation=”faculty”

3 REFEDS Assurance Suite Delivered
REFEDS Assurance Framework (RAF) ver 1.0 REFEDS Single-factor authentication profile (SFA) ver 1.0 REFEDS Multi-factor authentication profile (MFA) ver 1.0 approved in June 2017

4 The big picture of assurance in REFEDS
Identifiers ID proofing Attributes Authentication ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

5 Split of responsibility between REFEDS specs
REFEDS Assurance framework (RAF) AuthN profiles Identifiers ID proofing Attributes Authentication Separate specification: REFEDS Single-Factor Authentication (SFA) ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication Separate specification: REFEDS Multi-Factor Authentication (MFA) ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

6 “Cappuccino” for low-risk research use cases
REFEDS Assurance framework (RAF) AuthN profiles Identifiers ID proofing Attributes Authentication ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication ”Goes with” ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

7 “Espresso” for more demanding use cases
REFEDS Assurance framework (RAF) AuthN profiles Identifiers ID proofing Attributes Authentication ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication ”Goes with” High (e.g. F2F)

8 Single-factor authentication profile
To be expressed by the CSP in the AuthnContextClassRef (SAML) or acr claim (OIDC)

9 SFA profile requirements
Authenticator type Secret basis Min length Memorized Secret ≥52 characters (e.g. 52 letters) 12 characters ≥72 characters (e.g. 52 letters + 10 digits + 10 special characters) 8 characters Time based OTP-Device Out-of-Band Device 10-51 characters (e.g. 10 digits) 6 characters 4 characters Look-Up Secret Sequence based OTP-Device 10 characters Cryptographic Software/Device RSA/DSA 2048 bit ECDSA 256 bit Identifiers ID proofing Attributes Authentication ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

10 Further SFA requirements
Protection against online guessing (e.g. rate limiting). Secrets cryptographically protected at rest and in online transit Way of delivery Maximum life time Time based OTP Device 5 minutes Telephone network (e.g. SMS, phone) 10 minutes (e.g. recovery link) 24 hours Postal mail 1 month

11 SFA requirements: Replacement of a lost authentication factor
An existing secret must not be sent to the user (e.g. a stored password). The replacement procedure does not solely rely on knowledge-based authentication (e.g. answer a secret question). Human based procedures (e.g. service desk) ensure a comparable level of assurance of the requesting user identity as the initial identity vetting. In order to restore a lost authentication factor, an OTP may be sent to the users address of record. For authenticators which are provided to the user as a backup, all requirements of the corresponding authentication factor apply.

12 Multi-factor authentication profile
To be expressed by the CSP in the AuthnContextClassRef (SAML) or acr claim (OIDC)

13 MFA profile requirements
Identifiers ID proofing Attributes Authentication ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication The authentication of the user’s current session used a combination of at least two of the four distinct types of factors: something you know, something you have, something you are, something you do) The factors are independent (access to one factor does not by itself grant access to other factors) The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

14 Dissemination 38th REFEDS meeting in Trondheim ( 39th REFEDS meeting in Orlando ( TechEx 2018 session in Orlando ( Webinar December 2018 ( FIM4R meeting in February 2019 ( REFEDS blog (

15 Thank you for all your contributions!
Work done! Thank you for all your contributions! I’m stepping down as the Assurance WG chair

16 Questions? The work has been funded by AARC, AARC2 and GN4 projects

17 What’s next? Supporting documentation? Self-assessment tool?

18 Backup Slides

19 Assurance Framework assertions and profiles
To be expressed by the CSP in the eduPersonAssurance attribute $PREFIX$=

20 RAF values for properties of identifiers
ID proofing Attributes Authentication eduPersonAssurance=$PREFIX$/ID/unique The user identifier represents a single natural person The CSP can contact the person to whom the identifier is issued The user identifier is never re-assigned The user identifier is eduPersonUniqueID, SAML 2.0 persistent nameId, subject-id or pairwise-id or OIDC sub (public or pairwise) ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication eduPersonAssurance=$PREFIX$/ID/no-eppn-reassign - eduPersonPrincipalName value has properties 1-3 (see above). eduPersonAssurance=$PREFIX$/ID/eppn-reassign-1y - eduPersonPrincipalName value has properties 1-2 (see above) but may be re-assigned after a hiatus period of 1 year or longer. ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

21 RAF values for identity proofing
Identifiers ID proofing Attributes Authentication Identity proofing and credential issuance, renewal, and replacement qualify to any of… ID is unique, personal and traceable Low (self-asserted) eduPersonAssurance=$PREFIX$/IAP/low sections & of Kantara AL1 IGTF level DOGWOOD or ASPEN Affiliation freshness 1 month Single-factor authentication eduPersonAssurance=$PREFIX$/IAP/medium sections , &5.2.3 of Kantara AL2 IGTF level BIRCH or CEDAR section 2.1.2, and of eIDAS low ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F) eduPersonAssurance=$PREFIX$/IAP/high section , &5.3.3 of Kantara AL3 section 2.1.2, and of eIDAS substantial

22 RAF values for attribute freshness
Identifiers ID proofing Attributes Authentication eduPersonAssurance=$PREFIX$/ATP/ePA-1m eduPersonAffiliation, eduPersonScopedAffiliation and eduPersonPrimaryAffiliation attributes (if populated and released to the RP) reflect user’s departure within 31 days time ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication eduPersonAssurance=$PREFIX$/ATP/ePA-1d eduPersonAffiliation, eduPersonScopedAffiliation and eduPersonPrimaryAffiliation attributes (if populated and released to the RP) reflect user’s departure within one days time ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F) Departure = organisation (its business process) decides a person no more qualifies to that organisational role. This attribute describes maximum “IT lag” after the decision.

23 RAF conformance criteria
REFEDS Assurance framework (RAF) Identifiers ID proofing Attributes In all cases the CSP MUST (baseline expectations for Identity Providers): The Identity Provider is operated with organizational-level authority The Identity Provider is trusted enough that it is (or it could be) used to access the organization’s own systems Generally-accepted security practices are applied to the Identity Provider Federation metadata is accurate, complete, and includes at least one of the following: support, technical, admin, or security contacts A CSP indicates its conformance to this profile by asserting $PREFIX$. ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day High (e.g. F2F)

24 Single-factor authentication profile
To be expressed by the CSP in the AuthnContextClassRef (SAML) or acr claim (OIDC)

25 SFA profile requirements
Authenticator type Secret basis Min length Memorized Secret ≥52 characters (e.g. 52 letters) 12 characters ≥72 characters (e.g. 52 letters + 10 digits + 10 special characters) 8 characters Time based OTP-Device Out-of-Band Device 10-51 characters (e.g. 10 digits) 6 characters 4 characters Look-Up Secret Sequence based OTP-Device 10 characters Cryptographic Software/Device RSA/DSA 2048 bit ECDSA 256 bit Identifiers ID proofing Attributes Authentication ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

26 Further SFA requirements
Protection against online guessing (e.g. rate limiting). Secrets cryptographically protected at rest and in online transit Way of delivery Maximum life time Time based OTP Device 5 minutes Telephone network (e.g. SMS, phone) 10 minutes (e.g. recovery link) 24 hours Postal mail 1 month

27 SFA requirements: Replacement of a lost authentication factor
An existing secret must not be sent to the user (e.g. a stored password). The replacement procedure does not solely rely on knowledge-based authentication (e.g. answer a secret question). Human based procedures (e.g. service desk) ensure a comparable level of assurance of the requesting user identity as the initial identity vetting. In order to restore a lost authentication factor, an OTP may be sent to the users address of record. For authenticators which are provided to the user as a backup, all requirements of the corresponding authentication factor apply.

28 Multi-factor authentication profile
To be expressed by the CSP in the AuthnContextClassRef (SAML) or acr claim (OIDC)

29 MFA profile requirements
Identifiers ID proofing Attributes Authentication ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication The authentication of the user’s current session used a combination of at least two of the four distinct types of factors: something you know, something you have, something you are, something you do) The factors are independent (access to one factor does not by itself grant access to other factors) The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

30 Configuring and testing IdP

31 Configuring IdP products
Shibboleth: SimpleSAMLphp: please contribute to REFEDS wiki! Microsoft ADFS: custom attributes (eduPersonAssurance) supported custom authentication contexts not supported

32 https://attribute-viewer.aai.switch.ch/aai/
RAF values released by your IdP You can ask the test SP to request particular authentication context and display IdP’s response

33 What RAF/SFA/MFA does not cover
no SAML2 metadata defined no technical requirements for federation operator metadata management no conformance check program defined self-assessment of the CSP use SWITCHaai attribute viewer for testing technical conformance

Download ppt "REFEDS Assurance WG REFEDS meeting 16 June 2019"

Similar presentations

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
EAuthentication Before accessing the Delphi eInvoicing System, you must be an authenticated user. This authentication process is called eAuthentication.

EAuthentication Before accessing the Delphi eInvoicing System, you must be an authenticated user. This authentication process is called eAuthentication.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
1.3.1.G1 © Family Economics & Financial Education – Revised October 2004 – Consumer Protection Unit – Identity Theft Funded by a grant from Take Charge.

1.3.1.G1 © Family Economics & Financial Education – Revised October 2004 – Consumer Protection Unit – Identity Theft Funded by a grant from Take Charge.
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna 17-18 Oct 2011

Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna Oct 2011
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.

REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.
Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.

Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.
Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.

Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.

Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.
Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.

Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
ITU-T X.1254 | ISO/IEC 29115 An Overview of the Entity Authentication Assurance Framework.

ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.

Similar presentations

Ads by Google