Internet2 is investigating a security incident involving a compromise to a confluence server that affected https://spaces.at.internet2.edu on April 10, 2019, which was successfully mitigated on April 12, 2019. If you did not receive an email from us, it’s unlikely that any of the content you submitted to the Internet2 Spaces Wiki needs to be re-entered. We apologize for any inconvenience this may have caused. Should you have any questions or require further assistance, please email collaboration-support@internet2.edu.
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

DRAFT

Technical implementation of assurance requires system changes from InCommon Operations, IdPs, and SPs. There are many different scenarios and choices.

The Use of SAML V2.0

Participation in the InCommon Identity Assurance Program requires the use of SAML V2.0 Web Browser SSO. IdP and SP operators should plan for an upgrade path to SAML V2.0.

Metadata management

InCommon Operations will add identity assurance qualifiers (IAQs) to the published metadata following notification of certification by InCommon management. IAQs will be applied to the relevant IdP entity descriptors of the certified IdP operators (IdPOs).

Proposed IAQ URIs are:

Silverhttp://id.incommon.org/assurance/silver
Bronzehttp://id.incommon.org/assurance/bronze

There will likely be a need for non-production IAQs for use in interoperability testing, probably with test instances of metadata:

Silverhttp://id.incommon.org/assurance/silver-test
Bronzehttp://id.incommon.org/assurance/bronze-test

Note that all of the above URIs will resolve to actual web pages at some point.

IAQs in metadata

The following extension element will be added to the IdP's entity descriptor in metadata:

<mdattr:EntityAttributes
     xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute>
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
    <saml:AttributeValue>http://id.incommon.org/assurance/silver</saml:AttributeValue>
    <saml:AttributeValue>http://id.incommon.org/assurance/bronze</saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

The <mdattr:EntityAttributes> element and the name of the <saml:Attribute> element are defined by relevant OASIS specifications.

SP behavior

Ideally SPs will initiate the assurance flow by including the desired IAQ in the SAML AuthnRequest element.

  • What matching rules are recommended, or acceptable?
  • Some SPs may not be able to use the AuthnRequest mechanism due to software or other limitations.  Are they out of luck?
  • How is this configured using the Shib SP?  The simpleSAMLphp SP?
  • Boarding process:  Since an IAQ in metadata makes a statement about certification (not live service), how does an SP determine that an IdP supports assurance operationally (ala attribute support)? One approach is to include <saml:Attribute> elements in IdP metadata. Other approaches?

SPs will receive IAQs (either in response to a specific request, or sent unsolicited) in assertions from IdPs.  SPs should use metadata for the relevant IdPs to check that they are certified to assert the IAQs they're asserting.

  • Does the Shib (or simpleSAMLphp) SP software support the metadata check?

SPs will rely on local policy to decide how to handle incoming IAQs.  For example if the SP requires InCommon Bronze but receives InCommon Silver, that should be acceptable.  How is an SP supposed to "know" this?  Is there a role for InC to provide "advice"?

IdP behavior

Ideally IdPs will receive a desired IAQ from an SP in an AuthnRequest to initiate the process.  The IdP compares the requested IAQ to its matching rule and interacts with the local IdM system to determine if the current user meets the requirements.  If so, the appropriate IAQ is returned in the AuthnContext element in the assertion.

  • What matching rules are supported? 
  • If the SP requests Bronze, is it allowable for the IdP return Silver?  How does the IdP "know" the mapping?  Is there a role for InC to provide "advice"?
  • Is it possible and/or desirable for the IdP to return multiple IAQs? No, not using the AuthnContext element.
  • How does the Shib (or SSP) IdP interact with local IdM?  Is a custom login handler required?

SPs may not put IAQs in AuthnRequests but still want to receive IAQs from IdPs.

  • Can the Shib (or SSP) IdP be configured to send IAQs without being requested?
  • If so, what are the appropriate policy knobs (per-SP, per-user, whatever)?

References

  • No labels