Scribing Template --Thursday, Oct 4, 2012 at 4:30pm Freedom E Room

TOPIC: Issues with Implementing Assurance Over-the-Wire

CONVENER: Warren Curry

SCRIBE: Ann West

# of ATTENDEES:20

MAIN ISSUES DISCUSSED 

Help IdPs and SPs to implement Assurance Over the Wire.

Must use AuthnContext over the wire, but this is weakly documented

SAML spec allows for multiple qualifiers, but in practice must be sent one at a time with the IdP.  

-       Investigate the IdP algorithm that Scott sent. What’s the actual behavior of the IdP when an SP requests multiple qualifiers in one trip?

-       Check the if the IdP is certified at the levels you’re requesting in the metadata

  • Use three round trips to send Silver, Bronze, uncertified. SPs check the metadata for certified schools, recommend testing with IdP,
  • Don’t strand the user at the error page. If SP requests an authnclassref and the IdP can’t provide the right qualifier. Let SP deal with the error. SP get the service call.
  • CILogon planning to test with Virginia Tech on use case of population with mixed Bronze and Silver and how the interaction works for the user. In particular, how does the step up behavior (second factor increases LoA to Silver) works for the user.  

NIH – Debbie Bucci - Two factor + Silver may be required by Medical Space. Government Health-related  IT committees are recommending two-factor. With the Blue Button, you have a right to view your health information. This will be using third party credentials. ERA will provide Silver Apps, but will be much broader in the future, esp in medical space. Assurance programs take a long time to implement and adoption, we should be aiming at Silver plus two-factor. Apps for Silver + two-factor  are common in financial and health care space. 

Why not have a high LoA for everyone and just be done? Need granularity for cost  reasons. Why spend the funding to do the id proofing, for instance, for services with a low-risk to the organization?

UFL did fit gap useful for just internal use to fix obvious problems. Took a couple of months to address gaps.   

If you have suggestions for the Assurance spec documents, please send them to the assurance list at the assurance@incommon.org. 

ACTIVITIES GOING FORWARD / NEXT STEPS

  • Update the wiki documentation to reflect information gleaned in the testing.
    • CAS, CoSign, Shibboleth, Two-factor
  • Influence Shibboleth V3 to better handle AuthnContext
  • Include custom login handler contributions from campuses
  • No labels