Versions Compared

Old Version 11

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version 12

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SteveD: The AAC's work on this is at the beginning

The AAC has  has not taken our assurance profiles and deomposed them into trust marks yet.

The GA Tech people have looked at breaking have broken 800-63 into trustmarks.

See:
https://trustmark.gtri.gatech.edu/concept/#framework-example-ficamImage Removed

Eric: the trustmarks will decompose the IAP and the POP? so those would merge?

SteveD: I think so

Eric Goodman is a good working group member!

Any interest in asserting MFA in a profile?

Eric G: yes from other campuses

Do you have a definition for what that would mean?

See pages 44-45 here: https://trustmark.gtri.gatech.edu/wp-content/uploads/2014/01/Trustmark-Pilot-Concept-Slides-for-IDESG-Briefing-2014-01-16.pdfImage Added

MFA Profile

For the MFA profile work, there are important decisions on how granular to be.

We are running into what TomScavo ran into. There are apps that want MFA and some . Some campuses have MFA tokens and some don't

we We need to figure out under what circumstances would the SP application trust that MFA had been done by the campus. Versus the app invoking its own MFA. Don't want campus MFA plus application MFA

That's the danger you have if the SP requires MFA before the IDP supports it

David: from the Multi Context Broker point of view..

What is MFA? Define it as lights as possible, just some other factor is used.

Paul Caskey said DUO lets your remeber for 30 days you had done your MFA

I want to be able to disallow that

So he needs 2 different MFA profiles

TWOFER honors the forced reauthentication. DUO will not? You must define 2 different sub modules

Session length of 30 days?

Eric: to take it to the trustmarks, what the trustmark would be asserting is something about your MFA practice.

David: yes it would say you do MFA. the other says you are doing MFA and forcing reauthentication in the current time.

Eric: But that is interactive....It was noted that with a light definition of MFA trustmark (MFA? Y or N) there are issues that arise such as an SP that remembers you for 30 days (no forced reauthentication). There would be a need to disallow that kind of practice.

David: You define what you mean by MFA and there is some certification process that says an IDP has that trustmark. Then assertions it sends out would be honored. There is the IAP and IAQ on the trustmark

...