You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Notes: InCommon Assurance Monthly Implementers call for 5-Nov-2014

Slides used for this Assurance Call are here

Attending:

Ann West, Internet2
David Walker, Internet2
Steve Devoti, UW-Madison/AAC Chair
Mark Jones, UT Houston
Eric Goodman, UCOP
Benn Oshrin, Spherical Cow Consulting
Randy Miotke, Colorado State University
Susn Neitsch, Texas A&M University
Tom Golson, Texas A&M University
Jeff Capehardt, University of Florida

Discussion

The October 2014 Assurance Call was an IAM Online featuring University of Nebraska and UMBC presenting on their experience with InCommon Bronze certification and security. The archives are linked from here http://www.incommon.org/iamonline/

Today's call will focus on InCommon Assurance and US Government Discussions

Topics:

  • Update on the FICAM Program
  • Implications on the InCommon Assurance Program
  • Next Steps for the Assurance Advisory Committee (AAC)

FICAM

FICAM was based on NIST 800-63
Currently there are 3 FICAM Approved Trust Framework Providers:

http://www.idmanagement.gov/adopted-trust-framework-providers

FICAM 1.0 spec and related documents focused on identity provider and credential practices.
Since the approval of FICAM 2.0, there are changes. FICAM 2.0 also encompasses:

  • federation requirements outside identity assurance
  • Citizen2Government target
  • Componentized Identity Assurance approach

Token Manager + Identity Services Manager = Credential Service Manager

FICAM 2.x includes federation requirements

  • Change Management
  • Contacts
  • Entity Info
  • Memorandum of Agreement
  • Attributes for ID Matching

Question arose: Can't InCommon handle this for the InCommon IDPs?

Much progress in the discussions with FICAM. See slide 6 for details.

componentized services

An important topic is componentized services (see slide 7 and 8 for details )

Discussions with NIH and NSF

See slide 9

InCommon's discussions with NIH and NSF resulted in FICAM accepting our standardized attribute bundle (R&S) rather than the attributes FICAM had been requiring (which has included legal name and DOB)

GSA (home agency for FICAM) has joined InCommon, Looks like GSA will be the focal point for other agencies.

Community Profiles

See Slide 10

  • In addition to the FICAM-based Bronze and Silver profiles, there are community needs, such as for an MFA profile.
  • Ability to assert Multi Factorness to a provider like Workday, would be triggered based on a need to access a financial record.
  • Also need to replace the POP approach of "Post your Practices" and have baseline practices

Steve Devoti reported

  • The AAC is working to revise its charter to do more than manage the assurance process for certification.
  • The AAC is looking at what needs to be modified to increase trust within the federation.
  • This does not expand a lot the AACs charge. But it is broader than managing a process.
  • We have received lots of feedback (from our SP partners) on the lack of usefulness of the POP and the lack of Compliance. Some InCommon participants are not updating their POPs.
  • We have talked about decomposing the assurance profiles into trust marks to drive incremental progress within the federation.
  • The goal is to get people on the road to higher trust and higher assurance.
  • There is work at GA Tech on Trust Marks https://trustmark.gtri.gatech.edu/the-pilot/

EricG asks, there is Vectors of Trust group.

https://www.ietf.org/mail-archive/web/ietf-announce/current/msg13215.html

  The UC system is are is taking a similar approach in standards, for incremental progress short of silver.

Is there a sense of what the scope of the trustmarks (being discussed by the AAC_ might be?  Wants to do things that would map to trustmarks.  Are there specific targets that would be  useful for us to use?

SteveD: The AAC's work on this is at the beginning

The AAC has not taken our assurance profiles and deomposed them into trust marks yet.

The GA Tech people have looked at breaking 800-63 into trustmarks.

See:
https://trustmark.gtri.gatech.edu/concept/#framework-example-ficam

See pages 44-45 here: https://trustmark.gtri.gatech.edu/wp-content/uploads/2014/01/Trustmark-Pilot-Concept-Slides-for-IDESG-Briefing-2014-01-16.pdf

MFA Profile

For the MFA profile work, there are important decisions on how granular to be.

There are apps that want MFA. Some campuses have MFA tokens and some don't

We need to figure out under what circumstances would the SP application trust that MFA had been done by the campus. Versus the app invoking its own MFA. Don't want campus MFA plus application MFA

It was noted that with a light definition of MFA trustmark (MFA? Y or N) there are issues that arise such as an SP that remembers you for 30 days (no forced reauthentication). There would be a need to disallow that kind of practice.

David: You define what you mean by MFA and there is some certification process that says an IDP has that trustmark. Then assertions it sends out would be honored. There is the IAP and IAQ on the trustmark

DUO might need to take an action to be compenstated for in Shib softeawre

But once you say you are doing MFA it is not that simple

we will need to stick a stake in the sand

Ann: would you want to leverage your use case to do a set of MFA community practices?

Erci: this might be in 6 monts. There is not focus on this yet.

But Eric will raise this at meetings.

David: we could get interest from Paul

Jeff Capehart asks about TIER

Ann: that is to accellearate IDM acrtoss HE

Sustaining Shib and Grouper long term is one issue

We are good at business to business

But we have researchers outside the campus that need to access serivces that are shared by a VO so they act as an individual member of this group. Also need to accellerate abiliy for schools taht dont ahve an effective IDM system and need one to access federated services

From an advanced Institution, your participation may be for a component or two. You might want to leverage just parts . But there will be practices, part of the federation is , the campuses and SPs that are members. A big issues is normalizing practices. Assurance is part of that. all of that is important. it's about organization and infrastructure

JeffC: is there a commitment to do things in a certain way? Like the POP, like MFA, like certificates? Do you get to pick and choose?

Ann: yes you can pick and choose , but the practices will be a requirement. Persistant identifiers are very important. That is a key one.

Can you be in TIER and not do Assurance?

Ann: we are in an early stage. requirements not yet set by the community. supporting practices and re usability. The practices must be focused on a business need.

they all must come together to service a business need.

Info on TIER:https://drive.google.com/folderview?id=0BzRHp0xie6WFUVRqQXBwd3VSa1U&usp=sharing

Next Assurance Implementers Call: Jan. 2015 (no call in Dec. 2014)

===

Emily Eisbruch, Technology Transfer Analyst
Internet2
emily@internet2.edu
office: +1-734-352-4996 | mobile +1-734-730-5749

  • No labels