Project Charter MSU/CIC InCommon Assurance Project II
Background:
The CIC Identity Management Task Force is leading a project whose goal is for all the CIC institutions to be certified for federated authentication at the Silver level of assurance (LOA) by InCommon (the U.S. Higher Education federation) for at least some of our user credentials, and at the Bronze level for our standard issue credentials that are supplied to students, faculty, and staff. MSU has been participating in this CIC initiative. In addition, MSU will seek certification at the Bronze level for our MSU CommunityID credentials, as well as our standard MSU netids.
This effort is a re-launch of an ATS project that began in the fall of 2010. We fell behind schedule on the project at MSU as did all the other CIC institutions. One reason for this is that the original versions of the Incommon Bronze and Silver Identity Assurance Profiles were not workable, and the CIC institutions including MSU became heavily involved in working with the InCommon Technical Advisory Committee to revise them. Now that we have a much more workable IAP available, many of the institutions are re-prioritizing their projects and rescheduling them for sometime in Q1 or Q2 2013.
Another factor that is leading us to redefine the project scope somewhat is the request from the federal government’s ICAM agency (Identity, Credential, and Access Management) to InCommon that institutions be encouraged strongly to be certified for Bronze as well as Silver. ICAM has also advised that plans are in the works to require level 1 (Bronze) credentials for a wide array of services. InCommon responded by greatly streamlining the Bronze profile including removal of the requirement for an independent audit. This will likely be approved by FICAM as compliant with their level 1 requirement.
The problem area this project addresses relates to federated authentication, i.e., the use of local credentials to authenticate and obtain access to remote resources through a trusted framework. For MSU, the policy and governance aspects of the trust framework are provided through the InCommon trust federation, and the technical infrastructure is provided by our Shibboleth service. The specific issue is the growing need for resource owners who support federated authentication to require stronger identity assurance before granting access.
To address this, InCommon and other organizations involved in initiatives to facilitate trust frameworks, notably the federal government and NIST, have established the idea of levels of assurance. InCommon has defined two levels, Bronze and Silver, in their documents titled “Identity Assurance Profiles,” and “Identity Assurance Assessment Framework.” Silver requires more stringent identity assurance procedures than Bronze. The Silver profile specifies policies and practices in the area of business processes, and also with regard to technical infrastructure. The Bronze profile has no requirement for identity verification at credential issuance time, only that once a credential is issued that user is protected by reasonably strong authentication technology and business practices. We believe our MSU CommunityID credentials, as well as our standard-issue MSU Netids, can meet these requirements.
- 1.1. Project Justification - State the justification of the business needs, problems or opportunities the project addresses – a market demand, business need, legal requirement, social need, customer request or technological advance
This project meets MSU needs for policy and technical infrastructure that will allow MSU to comply with increasingly stringent identity assurance requirements for federated access to resources that will be needed by our users. In particular, NIH and NSF have both said they will require LOA 2 for some resources at some point in the future. CIC Institutions and InCommon members anticipate that by strengthening the trust framework increased opportunities for collaboration and resource sharing will emerge, as higher-risk services may now be able to trust the higher LOA federated credentials. Some resources, mainly in the research space, are starting to support SAML/Shibboleth LOA assertions as a first step toward requiring it; these include CILogon, LIGO, and National Student Clearinghouse. We also anticipate internal use cases for applications to be able to require stronger authentication security as expressed via a higher level of assurance credential.
In the case of Bronze, the main driver is the statement from InCommon that institutions are strongly encouraged to apply for Bronze certification at the same time as applying for Silver. We wish to position MSU to be ready as various resources begin requiring these levels of assurance for access.
Last, but not least, the requirements of the InCommon Identity Assurance profiles are all based on industry standard best practices that would be worthwhile to follow in their own right. Documentation needed for the InCommon Assurance audit process will generalize in many cases for public consumption and/or to feed into other audit or periodic review processes.