Date: Thu, 28 Mar 2024 19:06:27 +0000 (UTC) Message-ID: <1216582487.6831.1711652787114@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6830_549867393.1711652787113" ------=_Part_6830_549867393.1711652787113 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Background:
The CIC Identity Management Task Force is leading a project whose goal i= s for all the CIC institutions to be certified for federated authentication= at the Silver level of assurance (LOA) by InCommon (the U.S. Higher Educat= ion federation) for at least some of our user credentials, and at the Bronz= e level for our standard issue credentials that are supplied to students, f= aculty, and staff. MSU has been participating in this CIC initiative.= In addition, MSU will seek certification at the Bronze level for our= MSU CommunityID credentials, as well as our standard MSU netids.
This effort is a re-launch of an ATS project that began in the fall of 2=
010. We fell behind schedule on the project at MSU as did all the oth=
er CIC institutions. One reason for this is that the original version=
s of the Incommon Bronze and Silver Identity Assurance Profiles were not wo=
rkable, and the CIC institutions including MSU became heavily involved in w=
orking with the InCommon Technical Advisory Committee to revise them. =
Now that we have a much more workable IAP available, many of the instituti=
ons are re-prioritizing their projects and rescheduling them for sometime i=
n Q1 or Q2 2013.
Another factor that is leading us to redefine the project scope somewhat=
is the request from the federal government=E2=80=99s ICAM agency (Identity=
, Credential, and Access Management) to InCommon that institutions be=
encouraged strongly to be certified for Bronze as well as Silver. IC=
AM has also advised that plans are in the works to require level 1 (Bronze)=
credentials for a wide array of services. InCommon responded by grea=
tly streamlining the Bronze profile including removal of the requirement fo=
r an independent audit. This will likely be approved by FICAM as comp=
liant with their level 1 requirement.
The problem area this project addresses relates to federated authenticat=
ion, i.e., the use of local credentials to authenticate and obtain access t=
o remote resources through a trusted framework. For MSU, the policy a=
nd governance aspects of the trust framework are provided through the InCom=
mon trust federation, and the technical infrastructure is provided by our S=
hibboleth service. The specific issue is the growing need for resourc=
e owners who support federated authentication to require stronger identity =
assurance before granting access.
=
p>
To address this, InCommon and other organizations involved in initiative= s to facilitate trust frameworks, notably the federal government and NIST, = have established the idea of levels of assurance. InCommon has define= d two levels, Bronze and Silver, in their documents titled =E2=80=9CIdentit= y Assurance Profiles,=E2=80=9D and =E2=80=9CIdentity Assurance Assessment F= ramework.=E2=80=9D Silver requires more stringent identity assurance = procedures than Bronze. The Silver profile specifies policies and pra= ctices in the area of business processes, and also with regard to technical= infrastructure. The Bronze profile has no requirement for identity v= erification at credential issuance time, only that once a credential is iss= ued that user is protected by reasonably strong authentication technology a= nd business practices. We believe our MSU CommunityID credentials, as= well as our standard-issue MSU Netids, can meet these requirements.
This project meets MSU needs for policy and technical infrastructure tha= t will allow MSU to comply with increasingly stringent identity assurance r= equirements for federated access to resources that will be needed by our us= ers. In particular, NIH and NSF have both said they will require LOA = 2 for some resources at some point in the future. CIC Institutions an= d InCommon members anticipate that by strengthening the trust framework inc= reased opportunities for collaboration and resource sharing will emerge, as= higher-risk services may now be able to trust the higher LOA federated cre= dentials. Some resources, mainly in the research space, are starting = to support SAML/Shibboleth LOA assertions as a first step toward requiring = it; these include CILogon, LIGO, and National Student Clearinghouse. = We also anticipate internal use cases for applications to be able to requir= e stronger authentication security as expressed via a higher level of assur= ance credential.
In the case of Bronze, the main driver is the statement from InCommon th=
at institutions are strongly encouraged to apply for Bronze certification a=
t the same time as applying for Silver. We wish to position MSU to be=
ready as various resources begin requiring these levels of assurance for a=
ccess.
Last, but not least, the requirements of the InCommon Identity Assurance=
profiles are all based on industry standard best practices that would be w=
orthwhile to follow in their own right. Documentation needed for the =
InCommon Assurance audit process will generalize in many cases for public c=
onsumption and/or to feed into other audit or periodic review processes. &n=
bsp;