...
Slides used for this Assurance Call are here.
Attending:
Ann West, Internet2
David Walker, Internet2
Steve Devoti, UW-Madison/AAC Chair
David Walker, Internet2
Mark Jones, UT Houston
Eric Goodman, UCOP
Benn Oshrin, Spherical Cow Consulting
Randy Miotke, Colorado State University
Susn Neitsch, Texas A&M University
Tom Golson, Texas A&M University
Jeff CapehardtCapehart, University of Florida
Discussion
...
Today's call will focus on InCommon Assurance and US Government Discussions Slides used for this Assurance Call are here.
Topics:
- Update on the FICAM Program
- Implications on the InCommon Assurance Program
- Next Steps for the Assurance Advisory Committee (AAC)
...
FICAM was based on NIST 800-63.
Currently there are 3 FICAM Approved Trust Framework Providers:
...
- Kantara (large IDP's and international) https://kantarainitiative.org/idassurance/
- Safe BioPharma http://www.safe-biopharma.org/
- InCommon (addressing FICAM requirements with HE flexibility)
Since the approval of FICAM 21.0 , there are a few changes:-previous spec and related documents focused on identity provider and credential practices.
Now include With the approval of FICAM 2.0, there are changes. FICAM 2.0 also encompasses:-
- federation requirements outside identity assurance
...
- Citizen2Government target
...
- Componentized Identity Assurance approach
Token Manager + Identity Services Manager = Credential Service Manager
...
Much progress in the discussions with FICAM. See slide # for progress on these issues6 for details.
Componentized Services
An important topic is componentized services (see slide 7 and 8 for details )
Issues Discussions with NIH and NSF
InCommon's discussions with NIH and NSF resulted in FICAM accepting our standardized attribute bundle (R&S) rather than the attributes FICAM had been requiring (which has included legal name and DOB)
See slide #
GSA (home agency for FICAM) has joined InCommon, Looks like GSA will likely be the focal point for other agencies.
We are piloting insertion of community tags into the metadata, and FICAM will have one of those early pilots.
That will be a powerful ability
This is in process, not announced yet
Componentized serivces ,
how can FICAM enable agencies to pick and choose, for example with
for example a Kantara Approved Token Manager and a Safe BioPharma Approved Identity Services Manager and they work together to be a Credential Services Provider
there was a meeting in DC about this with intersted disucsion
interesting discussion about the major pieces
need to audit the glue between token manager and identity services manager
There are under 20 pieces that tie between the components.
Once audited that could be a full CSP
This would allow us to outsource pieces
If you had an adult distance learning service and need it be become a FICAM approved silver service
That could be considered an approved identity provider .
==
We are also working with
NIH and NSF in context of assurance and federation in general
They would like usage of InCommon Credentials to grow.
Many faculty are using Google Credentials
More difficult to address assurance and broader needs of the agencies.
Need persistence across the organization for the researchers
If they move from one organization to another
there are issues
NSF is piloting ORCD to adress moving/persistance
NIH sees a need for Bronzish
Silver without the Identity proofing
==
Community Profiles
There are community needs
one of those is for a MFA profile
...
Community Profiles
See Slide 10
- In addition to the FICAM-based Bronze and Silver profiles, there are community needs, such as for an MFA profile.
- Also need to replace the POP approach of "Post your Practices" and have baseline practices
...
Next Steps for the Assurance Advisory Committee (AAC)
Steve Devoti, AAC chair, reported
- The
SteveD:
- AAC is working to revise its charter
...
- to do more than manage the assurance process for certification
...
- .
...
- This does not expand a lot the AACs charge. But it is broader than managing a process.
- The AAC is looking at what needs to be modified to increase trust within the federation. The goal is to get people on the road to higher trust and higher assurance.
- We have received
...
- feedback (from our SP partners) on the lack of usefulness of the POP and the lack of
...
- compliance. Some InCommon participants are not updating their POPs.
- We have talked about decomposing the assurance profiles into trust marks to drive incremental progress within the federation
...
So not this big thing. Silver.
...
- .
- There is work at GA Tech on Trust Marks
...
Q&A
EricG
Can address what we have heard from community about the POP and about MFA.
Would give more flexibiltiy.
ERIC Goodman asks, there is Vectors of Trust group. Here at UC, he The UC system is are is taking a similar approach in standards within UC. For , for incremental progress short of silver.Is Is there a sense of what the scope of these trustmarks the trustmarks (being discussed by the AAC) might be? Eric wants Wants to do things that would map to trustmarks. Looking for , are Are there specific targets that would be more useful for us to use?
SteveD: The AAC's work on this work is not super far along
The GA Tech people have done a lot of work
Have broken 863 into trustmarks.
SteveD has thrown things onto paper.
It is drafty
There should be a good mapping...
We have not taken our assurance profiles and deomposed them into trust marks yet.
Eric: the trustmarks will decompose the IAP and the POP? so those would merge?
SteveD: I think so
Eric Goodman is a good working group member!
Any interest in asserting MFA in a profile?
Eric G: yes from other campuses
Do you have a definition for what that would mean?
is at the beginning. The AAC has not yet taken our InCommon assurance profiles and decomposed them into trust marks.
The GA Tech GTRI group has looked at breaking 800-63 into trustmarks.
See:
https://trustmark.gtri.gatech.edu/concept/#framework-example-ficam
See pages 44-45 here: https://trustmark.gtri.gatech.edu/wp-content/uploads/2014/01/Trustmark-Pilot-Concept-Slides-for-IDESG-Briefing-2014-01-16.pdf
MFA Profile
For a community MFA profile, there are decisions on how granular to beWe are running into what TomScavo ran into. There are apps that want MFA and some . Some campuses have MFA tokens and some don'twe need to figure out under . Under what circumstances would the SP application trust that MFA had been done by the campus. Versus invoking its own. Don't want , versus the app requiring its own MFA? We don't want to have campus MFA plus ALSO application MFA
That's the danger you have if the SP requires MFA before the IDP supports it
David: from the Multi Context Broker point of view..
What is MFA? Define it as lights as possible, just some other factor is used.
Paul Caskey said DUO lets your remeber for 30 days you had done your MFA
I want to be able to disallow that
So he needs 2 different MFA profiles
TWOFER honors the forced reauthentication. DUO will not? You must define 2 different sub modules
Session length of 30 days?
Eric: to take it to the trustmarks, what the trustmark would be asserting is something about your MFA practice.
David: yes it would say you do MFA. the other says you are doing MFA and forcing reauthentication in the current time.
Eric: But that is interactive.....
David: You define what you mean by MFA and there is some certification process that says an IDP has that trustmark. Then assertions it sends out would be honored. There is the IAP and IAQ on the trustmark
DUO might need to take an action to be compenstated for in Shib softeawre
But once you say you are doing MFA it is not that simple
we will need to stick a stake in the sand
Ann: would you want to leverage your use case to do a set of MFA community practices?
Erci: this might be in 6 monts. There is not focus on this yet.
But Eric will raise this at meetings.
David: we could get interest from Paul
Jeff Capehart asks about TIER
Ann: that is to accellearate IDM acrtoss HE
Sustaining Shib and Grouper long term is one issue
We are good at business to business
.
It was noted that with a light/simple definition of MFA trustmark (MFA? Y or N), there are concerns. Example: an SP that remembers the user for 30 days, with no forced re-authentication. There would be a need to disallow that kind of practice.
TIER
Question: How does the TIER work related to Assurance?
Info on TIER:https://drive.google.com/folderview?id=0BzRHp0xie6WFUVRqQXBwd3VSa1U&usp=sharing
Ann: TIER aims to accelerate IDM across HE. We need to help researchers get access to services,including participants in a VO. Also need to accelerate ability for schools that don't have But we have researchers outside the campus that need to access serivces that are shared by a VO so they act as an individual member of this group. Also need to accellerate abiliy for schools taht dont ahve an effective IDM system and need one to access federated servicesFrom an advanced Institution, your participation may be for a component or two. You might want to leverage just parts . But there will be practices, part of the federation is , the campuses and SPs that are members. A big issues is normalizing practices. Assurance is part of that. all of that is important. it's about organization and infrastructure
JeffC: is there a commitment to do things in a certain way? Like the POP, like MFA, like certificates? Do you get to pick and choose?
Ann: yes you can pick and choose , but the practices will be a requirement. Persistant identifiers are very important. That is a key one.
Question: Can a campus be Can you be in TIER and not do Assurance?
Ann: we are Don't know yet. TIER is in an early stage. requirements Requirements are not yet set by the community. supporting practices and re usability. The practices must be focused on a business need.
they all must come together to service a business need.
Info on TIER: https://drive.google.com/folderview?id=0BzRHp0xie6WFUVRqQXBwd3VSa1U&usp=sharing
Next Assurance Implementers Call: Jan. 2015 (no call in Dec. 2014)
===
Emily Eisbruch, Technology Transfer Analyst
Internet2
emily@internet2.edu
office: +1-734-352-4996 | mobile +1-734-730-5749