This working group chartered 11 Jun 2024 by the InCommon Community Trust and Advisory Board (CTAB).

Problem Statement

Some research service providers (SPs) and others face increasing need to demonstrate that their users have been well identity-proofed and that their authentication credentials are multifactor and well-bound to the user. These needs are incumbent on the users’ Identity Providers (IdPs). The Assured Access Working Group identified and documented processes that may be available at least to US academic organizations that can form the basis for asserting corresponding levels of assurance of identity proofing and credential binding, publishing the REFEDS Assurance Framework Implementation Guidance for the InCommon Federation. This work was based on the REFEDS Assurance Framework (RAF) v1.0. Since then, RAF has been updated to version 2.0.

This WG will update the REFEDS Assurance Framework Implementation Guidance for the InCommon Federation for the revised version of RAF. The WG may decide to continue work on a more comprehensive set of recommendations after its initial release.

Stakeholders/Influencers/Influences

  • IAM architects at InCommon participants organizations
  • Commercial and non-profit IdM providers, including Identity Management as a Service (IdMaaS) providers
  • InCommon Federation (Internet2) management
  • REFEDS Assurance WG (inactive)
  • Federated Identity Management for Research (FIM4R) community
  • NIH CIT 
  • Research Data and Communications Technologies (RDCT), consultancy to NIAID that has studied these issues closely
  • NERSC, ditto
  • Kantara Initiative Assurance Program, which assesses Credential Service Providers and related component services and is accepted by the US Government for validating adherence to NIST 800-63-2 and 800-63-3. The WG may consider asking their opinions of draft guidance.

Charter

The AAWG2 will:

  1. Review the REFEDS Assurance Framework Implementation Guidance for the InCommon Federation  and revise in the context of the updated RAF2, and publish as the REFEDS Assurance Framework Implementation Guidance for the InCommon Federation v2.0.
  2. Assess the potential role of referral processes as compensating controls for some identity proofing steps. Egs:
    1. A Principal Investigator whose identity has been sufficiently proofed confirms identity evidence submitted by their collaborator. 
    2. An instructor or advisor whose identity has been sufficiently proofed confirms identity evidence submitted by their student.
  3. Review and update guidance, supplemental to criteria defined in NIST 800-63, Kantara, and related standards, on ways that credential issuance, renewal, and replacement can be linked to a vetted identity, including 
    1. In person, such as ID Card issuing or HR processes
    2. In association with commercial services that validate identity evidence, eg, via an API.
    3. Compensating controls, ie, ways that a credential can be reasonably inferred to be controlled by the proofed identity it was assigned to. Example: if a credential is required to route employee paychecks to their bank, can it be inferred to be well-bound to that employee even if the credential issuance process does not itself accomplish the linkage?
  4. Meet biweekly, with WG freedom to determine a more rapid meeting schedule as needed.
  5. Share information and coordinate with the REFEDS Assurance WG (or REFEDS leadership while WG is inactive).
  6. Recommend other working groups that may be needed, eg, to address similar needs in other countries.

Out of Scope:

  1. Outreach activities to deliver the WG’s guidance to InCommon Participants and related support activities. These will be undertaken by InCommon. 

Membership

Membership in the Assured Access Working Group 2 is open to all interested parties. Solicitation will take place on lists such as the InCommon Participants list and the REFEDS list, explicitly seeking international participation. Some stakeholders may be explicitly solicited by the Co-Chairs or other Working Group members for participation, e.g., providers who do not ordinarily participate on the above lists. Members join the Working Group by subscribing to the mailing list and Slack channel, participating on the calls, and otherwise actively engaging in the work of the group.

Work Products

  1. Update the 2022’s Assured Access Working Group product on IdP implementation to reflect RAF2.
  2. Refine guidance to IdPs to ease implementation and adoption of RAF2.

Appendices and Resources


  • No labels