Presentation is loading. Please wait.

Presentation is loading. Please wait.

REFEDS Assurance Suite

Published byちえこ いなおか Modified over 5 years ago

Similar presentations

Presentation on theme: "REFEDS Assurance Suite"— Presentation transcript:

1 REFEDS Assurance Suite
FIM4R, 11 Feb 2019 Mikael Linden, REFEDS assurance wg chair

2 Challenge How was the registration/Identity Proofing done?
Is that even a shared account Can this user ID be later reassigned to some other person? How fresh is that affiliation information? How was the user authentication done? Home University/Institution Research service eduGAIN interfederation Local federation Identity Provider Service Provider ePAffiliation=”faculty”

3 Short history of REFEDS Assurance Suite
11/2015 AARC publishes minimum requirements on assurance 6/2016 REFEDS establishes Assurance working group 4-6/2017 First public consultation on RAF 2-5/2018 Pilot on RAF, SFA and MFA 4-6/2018 Second public consultation on RAF and SFA 10/2018 RAF and SFA ver 1.0 published

4 REFEDS Assurance Suite
REFEDS Assurance Framework (RAF) ver 1.0 Approved and published REFEDS Single-factor authentiation profile (SFA) ver 1.0 REFEDS Multi-factor authentication profile (MFA) ver 1.0 approved in June 2017 You can use them together or separately

5 The big picture of assurance in REFEDS
Identifiers ID proofing Attributes Authentication ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

6 Split of responsibility between REFEDS specs
REFEDS Assurance framework (RAF) AuthN profiles Identifiers ID proofing Attributes Authentication Separate specification: REFEDS Single-Factor Authentication (SFA) ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication Separate specification: REFEDS Multi-Factor Authentication (MFA) ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

7 Test your IdP’s conformance: https://attribute-viewer. aai. switch
RAF values released by your IdP You can ask the test SP to request particular authentication context and display IdP’s response

8 Outreach to federations
Presentations REFEDS 38th in Trondheim Presentations REFEDS 39th meeting in Orlando TechEx 2018 session in Orlando Webinar December 2018

9 Otherwise the IdPs are not going to deploy it.
Start supporting it! Start requiring it! Otherwise the IdPs are not going to deploy it.

10 Questions? The work has been funded by AARC, AARC2 and GN4 projects

11 Backup slides

12 Assurance Framework assertions and profiles
To be expressed by the CSP in the eduPersonAssurance attribute $PREFIX$=

13 RAF values for properties of identifiers
ID proofing Attributes Authentication eduPersonAssurance=$PREFIX$/ID/unique The user identifier represents a single natural person The CSP can contact the person to whom the identifier is issued The user identifier is never re-assigned The user identifier is eduPersonUniqueID, SAML 2.0 persistent nameId, subject-id or pairwise-id or OIDC sub (public or pairwise) ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication eduPersonAssurance=$PREFIX$/ID/no-eppn-reassign - eduPersonPrincipalName value has properties 1-3 (see above). eduPersonAssurance=$PREFIX$/ID/eppn-reassign-1y - eduPersonPrincipalName value has properties 1-2 (see above) but may be re-assigned after a hiatus period of 1 year or longer. ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

14 RAF values for identity proofing
Identifiers ID proofing Attributes Authentication Identity proofing and credential issuance, renewal, and replacement qualify to any of… ID is unique, personal and traceable Low (self-asserted) eduPersonAssurance=$PREFIX$/IAP/low sections & of Kantara AL1 IGTF level DOGWOOD or ASPEN Affiliation freshness 1 month Single-factor authentication eduPersonAssurance=$PREFIX$/IAP/medium sections , &5.2.3 of Kantara AL2 IGTF level BIRCH or CEDAR section 2.1.2, and of eIDAS low ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F) eduPersonAssurance=$PREFIX$/IAP/high section , &5.3.3 of Kantara AL3 section 2.1.2, and of eIDAS substantial

15 RAF values for attribute freshness
Identifiers ID proofing Attributes Authentication eduPersonAssurance=$PREFIX$/ATP/ePA-1m eduPersonAffiliation, eduPersonScopedAffiliation and eduPersonPrimaryAffiliation attributes (if populated and released to the RP) reflect user’s departure within 31 days time ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication eduPersonAssurance=$PREFIX$/ATP/ePA-1d eduPersonAffiliation, eduPersonScopedAffiliation and eduPersonPrimaryAffiliation attributes (if populated and released to the RP) reflect user’s departure within one days time ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

16 RAF conformance criteria
REFEDS Assurance framework (RAF) AuthN profiles Identifiers ID proofing Attributes Authentication In all cases the CSP MUST (baseline expectations for Identity Providers): The Identity Provider is operated with organizational-level authority The Identity Provider is trusted enough that it is (or it could be) used to access the organization’s own systems Generally-accepted security practices are applied to the Identity Provider Federation metadata is accurate, complete, and includes at least one of the following: support, technical, admin, or security contacts A CSP indicates its conformance to this profile by asserting $PREFIX$. ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

17 “Cappuccino” for low-risk research use cases
REFEDS Assurance framework (RAF) AuthN profiles Identifiers ID proofing Attributes Authentication ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication ”Goes with” ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

18 “Espresso” for more demanding use cases
REFEDS Assurance framework (RAF) AuthN profiles Identifiers ID proofing Attributes Authentication ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication ”Goes with” High (e.g. F2F)

19 Single-factor authentication profile

20 SFA profile requirements
Authenticator type Secret basis Min length Memorized Secret ≥52 characters (e.g. 52 letters) 12 characters ≥72 characters (e.g. 52 letters + 10 digits + 10 special characters) 8 characters Time based OTP-Device Out-of-Band Device 10-51 characters (e.g. 10 digits) 6 characters 4 characters Look-Up Secret Sequence based OTP-Device 10 characters Cryptographic Software/Device RSA/DSA 2048 bit ECDSA 256 bit Identifiers ID proofing Attributes Authentication ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

21 Further SFA requirements
Protection against online guessing (e.g. rate limiting). Secrets cryptographically protected online and in transit Way of delivery Maximum life time Time based OTP Device 5 minutes Telephone network (e.g. SMS, phone) 10 minutes (e.g. recovery link) 24 hours Postal mail 1 month

22 SFA requirements: Replacement for a lost authentication factor
An existing secret must not be sent to the user (e.g. a stored password). The replacement procedure does not solely rely on knowledge-based authentication (e.g. answer a secret question). Human based procedures (e.g. service desk) ensure a comparable level of assurance of the requesting user identity as the initial identity vetting. In order to restore a lost authentication factor, an OTP may be sent to the users address of record. For authenticators which are provided to the user as a backup, all requirements of the corresponding authentication factor apply.

23 Multi-factor authentication profile

24 MFA profile requirements
Identifiers ID proofing Attributes Authentication ID is unique, personal and traceable Low (self-asserted) Affiliation freshness 1 month Single-factor authentication The authentication of the user’s current session used a combination of at least two of the four distinct types of factors: something you know, something you have, something you are, something you do) The factors are independent (access to one factor does not by itself grant access to other factors) The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor ePPN is unique, personal and traceable Medium (e.g. postal credential delivery) Affiliation freshness 1 day Multi-factor authentication High (e.g. F2F)

Download ppt "REFEDS Assurance Suite"

Similar presentations

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna 17-18 Oct 2011

Innovation through participation eduGAIN federation operator training eduGAIN policy eduGAIN training in Vienna Oct 2011
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.

Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.
Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.

Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
Levels of Assurance in Authentication Tim Polk April 24, 2007.

Levels of Assurance in Authentication Tim Polk April 24, 2007.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Innovation through participation eduGAIN interfederation service for research and education Cern FedID workshop in RAL, UK 2-3 Nov 2011 Mikael Linden,

Innovation through participation eduGAIN interfederation service for research and education Cern FedID workshop in RAL, UK 2-3 Nov 2011 Mikael Linden,
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Mikael Linden AARC all hands Milan Authentication and Authorisation.

Authentication and Authorisation for Research and Collaboration Mikael Linden AARC all hands Milan Authentication and Authorisation.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Click to edit Master title style © 20101 by Nat Sakimura. Coping with Information Asymmetry SESSION G: Managing Risk & Reducing Online Fraud Using New.

Click to edit Master title style © by Nat Sakimura. Coping with Information Asymmetry SESSION G: Managing Risk & Reducing Online Fraud Using New.
Networks ∙ Services ∙ People Daniela Pöhn REFEDS EWTI, Vienna IdPs and Federations Service Aspects of Assurance 2015-12-01 SA5T1.

Networks ∙ Services ∙ People Daniela Pöhn REFEDS EWTI, Vienna IdPs and Federations Service Aspects of Assurance SA5T1.

Similar presentations

Ads by Google