Versions Compared

Old Version 14

changes.mady.by.user Keith Wessel (illinois.edu)

Saved on

compared with

New Version 15

changes.mady.by.user Nicole Roy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Clock skew: the implementation profile is vague on this, stating a reasonable value with a recommended three to five minute range. The Deployment Profile requires a maximum three to five minute range.
  • Forced authentication: The deployment profile recommends that the SP test the currency of the AuthnInstant to ensure that reauthentication was performed by the IdP. The implementation profile doesnt' require that this value be exposed to make it available for testing.


Remaining items for R&E-specific, application-specific, federation operator and other work

R&E-specific profile:

  • Adoption of the new SAML subject identifiers
  • Agreement on logo standards for use in metadata
  • Creation of and adoption of an entity category to tag non-interoperable IdPs ("Red" IdPs)
  • Define and publish a standard that declares attributes for use in R&E federations

Federated applications profile:

  • Authorization, provisioning and de-provisioning using standard values
  • Identifier mapping from asserted identifier into application-specific identifier
  • Application support for custom authentication context class references such as the REFEDS MFA profile, including use for 'step-up' authentication and possibly forced re-authentication, SPs must check authnInstant
  • Configuring attribute release/consumption based on available context
  • Adoption of the new SAML subject identifiers
  • Development of a "Ready for Collaboration" entity category

Federation operator profile:

  • Standardized attribute release requirements for participant IdPs (could get tricky with applications that don't want attributes, for example library/publisher SPs)
  • NOTE: This one needs to be better defined: Dealing with FERPA suppression of attributes for graduate students participating in research projects
  • Prevent vendors from charging fees for use of SAML in a multilateral federation context
  • NOTE: This one needs to be better defined: "Lack of framework/contract terms; change controls, support escalation"
  • Publication of security contact information for incident response (requirement for support for SIRTFI)

Other work to be done:

  • Browser cookie handling improvements needed and/or token binding needed (support for removing sessions at logout time, Safari's new problematic anti-tracking-cookie behavior)


Next steps and recommendations to InCommon

...