Ann West, Internet2
Arnie Miles, Georgetown
David Walker, InCommon
Mary Dunker, VA Tech
Benn Oshrin, Spherical Cow Group
Jeff Capehardt, UFL
Ron Thielen, U. Chicago
Eric Goodman, UCOP
Alternative Means for Two Factor Authentication using Duo Security
On a previous Assurance call, there had been a request for a campus to develop an Alternative Means for Satisfying Assurance Criteria for use of Duo Security Two-Factor Authentication. http://www.incommon.org/duo/
Texas A&M and Penn State have expressed interest, and this will be discussed further during Identity Week, Nov. 11-15.
Shib IdP Enhancements Progress https://spaces.at.internet2.edu/display/InCAssurance/Shibboleth+Enhancements+-+Project+Status
David Walker reported that the Shibboleth IDP Enhancements Project is in acceptance testing now. The enhancements will enable a Shibboleth IdP to support the InCommon Assurance Program's multiple assurance profiles, as well as other authentication contexts that may be defined by IdPOs and their partners. This work could be used to support Multi-Factor Authentication and the work emerging from the Internet2 Scalable Privacy Project. The SP specifies one or more AuthN contexts that it will accept in receiving an identity assertion. The decision of what AuthN options to present to the user are based on what the SP requests, and on information about the user (retrieved from the IdM system) regarding what AuthN contexts that user is certified for (bronze or silver).
It was noted that the CommIT project may also benefit from this Shibboleth Enhancement.
The project status wiki page has a link for downloading the code. The plans is to finish this work by the end of 2013.
There will be some training / marketing / outreach materials so the community will know about the new features.
Assurance Advisory Committee (AAC) Update
Mary reported on recent activities of the AAC:
Several nominations for AAC membership were received during the call for nominations period of Sept. 26 – Oct 31, 2013.
There are open slots on the AAC for an SP representative, an IdP representative, an auditor and potentially a member at large.
The open slots are due to current members' terms expiring. The plan is to ask each candidate to submit two paragraphs summarizing their interest, background, ability to make the time commitment and their institution's support of the time commitment. The AAC hopes to have a recommendation to InCommon Steering in December regarding new AAC members.
Updated AD Assurance Cookbook
AAC has provided guidance to the group working on updating the AD Assurance Cookbook on interpretation of the Assurance spec. The AD Assurance group has done an excellent job in updating the Cookbook. The whole community will benefit.
Cloud Security Alliance Cloud Controls Matrixhttps://cloudsecurityalliance.org/research/ccm/
The Cloud Security Alliance is producing a cloud controls matrix, including information relative to higher ed. The InCommon TAC and the AAC are looking at providing input to this matrix around federated authentication and IdM. One goal is to ensure that Net+ services have appropriate security features and can be smoothly integrated into a federated environment.
On the TAC webinar of October 10, 2013, a poll was conducted about current status relative to MFA. Mary is interested in who in this group is implementing MFA. Looking at how that fits in with the Assurance profiles
Arnie: Georgetown is looking at a new IDM system and whether and how to incorporate MFA is an important part of the discussion. It was agreed that the InCommon Assurance profiles can be a helpful tool in developing requirements and processes for a new IDM system.
David noted that campuses looking at MFA may want to participate in the discussions of the MFA Cohortium https://spaces.at.internet2.edu/display/mfacohortium/Home
AD Assurance Cookbook
The AD Assurance Cookbook has been updated in light of the revised 1.2 spec. Community feedback period ended Nov. 8.
The conversations with the AAC about how to interpret the spec were helpful. Excellent feedback was received from Joe St. Sauver. Brian Arkills responded to those comments on behalf of the group. One of the challenges of the AD Cookbook is keeping the scope to AD technology specific issues or compliance with the silver profile. Some feedback received pertained to things that are good to do, but not within this defined scope.
A diagram is being developed to clarify some of the descriptions in the AD Assurance Cookbook.
Ann noted that it was initially thought that an alternative means would be required for AD and Silver. But the Cookbook has described the fact that an alternative means is not necessarily needed, depending on the architecture of how a site is using AD.
If there are further comments, please send them to the list or send them to Ann and she will forward them.
Ann reported that over the last several months, a number of individuals have expressed interest in discussing the interpretation of the Bronze (and later Silver) profile specifics.
To help with this request, InCommon is spinning up a Reading of the Bronze Profile over 8 hour-long biweekly sessions. A week before the call, Ann will announce the section to be discussed so that attendees can review the points and come prepared to discuss. If there are issues that need further illumination, the group will ask for guidance from the AAC. Look for further details regarding call days and times to be announced on the Assurance list.