Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Statement - All entity (IdP and SP) service endpoints must be secured with current and supported transport layer encryption.
What is it?
When registering an entity (IdP or SP) in InCommon, all connection endpoints of that entity must be an HTTPS URL. Further, the transport layer security protocol and associated ciphers used must be supported and trustworthy versions.
For an IdP, a “connection endpoint” includes the locations for the ArtiffactResolutionService, the SingleSignOnService, the SingleLogoutService, and the AttributeService
For an SP, a “connection endpoint” includes the locations for the AssertionConsumerService and the SingleLogoutService
Who does this requirement apply to?
This requirement applies to all entities (identity providers and service providers) registered with the InCommon Federation.
How do I meet this requirement?
All endpoints in an entity’s metadata must be properly encrypted using sufficiently strong encryption protocol and cipher. The transport encryption used must be supported by its maker. As technology evolves rapidly in this area, it is important that participants test and update their security implementations to mitigate the risk of data loss and system compromise, as well as to provide greater awareness and transparency.
Specifically, participants should test their implementations against the criteria compiled in The Open Web Application Security Project’s (OWASP) Transport Layer Protection Cheatsheet (https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html) and the TLS Cipher String Cheatsheet (https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html).
Popular security testing software such as the Qualys SSL Lab Server test <https://www.ssllabs.com/ssltest> is a convenient way to test your server against these criteria. If using the Qualys SSL Lab Server test, an overall rating of A or better is considered meeting the requirements of the InCommon Baseline Expectations.
For example, as of January 2020, that means the endpoints should use at least TLS 1.2. Older versions of TLS and SSL protocols are not appropriate as they are either unsupported or have known security vulnerabilities. Encryption should rely on strong encryption suites, which may require disabling older encryption suites with known vulnerabilities.
To meet this requirement, all endpoints of an entity must maintain a grade of A or better according to the test criteria defined in the SSL Labs SSL Server Rating Guide.
Qualys SSL Lab Server Test is a reference implementation of this guide, and is suitable to use to test an entity against the Rating Guide’s criteria. If the test score is less than an A, the IdP or SP Operator must apply mitigating measures within 90 days.
Periodic Scanning - The InCommon Federation will implement automated, periodic testing to verify that all registered endpoints meet the “current and trustworthy” criteria. Endpoints in a registered IdP or SP must be accessible from a public location on the Internet in order to facilitate testing. Periodic Scanning - InCommon will conduct periodic Qualys-based endpoint scans to ensure all endpoints registered in the Incommon Federation meet these requirements. If an endpoint fails to score A- or better in these periodic scans, InCommon will notify the responsible participant organization’s Site Administration. The organization has 30/45/90 days to remediate. Failing to remediate results in the entity’s removal from the InCommon metadata. Those needing more time may propose a reasonable alternative to InCommon’s Community Trust and Assurance Board.
Related content
Content by Label | ||||||||
---|---|---|---|---|---|---|---|---|
|