Statement - All entity (IdP and SP) service endpoints must be secured with current and supported transport layer encryption.

What is it?

When registering an entity (IdP or SP) in InCommon, all connection endpoints of that entity must be an HTTPS URL. Further, the transport layer security protocol and associated ciphers used must be supported and trustworthy versions.

For an IdP, a “connection endpoint” includes the locations for the ArtiffactResolutionService, the SingleSignOnService, the SingleLogoutService, and  the AttributeService

For an SP, a “connection endpoint” includes the locations for the AssertionConsumerService and the SingleLogoutService

Who does this requirement apply to?

This requirement applies to all entities (identity providers and service providers) registered with the InCommon Federation.

How do I meet this requirement?

All endpoints in an entity’s metadata must be properly encrypted using sufficiently strong encryption protocol and cipher. The transport encryption used must be supported by its maker. As technology evolves rapidly in this area, it is important that participants test and update their security implementations to mitigate the risk of data loss and system compromise, as well as to provide greater awareness and transparency. 

Specifically, participants should test their implementations against the criteria compiled in The Open Web Application Security Project’s (OWASP) Transport Layer Protection Cheatsheet (https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html) and the TLS Cipher String Cheatsheet (https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html). 

Popular security testing software such as the Qualys SSL Lab Server test <https://www.ssllabs.com/ssltest> is a convenient way to test your server against these criteria. If using the Qualys SSL Lab Server test, an overall rating of A or better is considered meeting the requirements of the InCommon Baseline Expectations.

For example, as of January 2020, that means the endpoints should use  at least TLS 1.2. Older versions of TLS and SSL protocols are not appropriate as they are either unsupported or have known security vulnerabilities. Encryption should rely on strong encryption suites, which may require disabling older encryption suites with known vulnerabilities. 

Periodic Scanning - InCommon will conduct periodic Qualys-based endpoint scans to ensure all endpoints registered in the Incommon Federation meet these requirements. If an endpoint fails to score A- or better in these periodic scans, InCommon will notify the responsible participant organization’s Site Administration. The organization has 30/45/90 days to remediate. Failing to remediate results in the entity’s removal from the InCommon metadata. Those needing more time may propose a reasonable alternative to InCommon’s Community Trust and Assurance Board.