1 / 15

US E-authentication and the Culture of Compliance

RL “Bob” Morgan University of Washington CAMP, June 2005. US E-authentication and the Culture of Compliance. Topics. US E-Authentication Program E-auth and Internet2 Interfederation Interoperability Working Group Assessment can be fun (aka getting CAFed and liking it)

devika
Download Presentation

US E-authentication and the Culture of Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. RL “Bob” Morgan University of Washington CAMP, June 2005 US E-authentication and the Culture of Compliance

  2. Topics US E-Authentication Program E-auth and Internet2 Interfederation Interoperability Working Group Assessment can be fun (aka getting CAFed and liking it) An initial E-Auth application usPerson schema project

  3. US E-Authentication http://cio.gov/eauthentication for authoritative info facilitates trusted access to e-government e-auth elements credential providers (CSPs), agency apps (AAs) credential assessment framework (CAF), application risk assessment, defined LoAs approved technologies, products (X.509, SAML) e-auth ops: membership, portal (aka “Fed fed”) agency mandates E-Authentication Partnership advisory group

  4. InCommon + E-Auth alignment promote interop for widespread higher-ed access to USG applications grants process, research support, student loans ... process project started Oct 2004, thru Dec 2005 compare federation models propose alignment steps validate with federation members, via concrete application trials implement via next e-auth, InCommon phases

  5. IIWG elements federation comparison (E-Auth, InCommon) modify Shib software to work with E-Auth part of Shib 1.3 universities undergo trial by CAF assess whether compliance is likely across HE deploy HE access to a real USG app NSF FastLane; learn from this experience propose alignment steps for E-Auth and InC propose interfederation structure

  6. E-Auth + InC alignment points Basic divergence: loose vs tight coupling membership: IdP-centric vs SP-centric E-auth driven by requirements of e-government AAs some CSPs will be govt agencies, but mostly external InCommon driven by requirements of university IdPs, encouraging SPs to federate with us assurance: facilitated vs guaranteed InCommon IdPs publish their processes, SPs decide whether they're OK E-auth participants audited, approved by GSA level of assurance is fundamental characteristic, of both agency apps and credential servicesbased on NIST-defined criteria

  7. Alignment points 2 user identity: application-supporting attributes vs fixed identifier set InCommon relies on Internet2-defined eduPerson, promotes attribute-based authorization E-Authentication specifies delivery of identifiers only operation: metadata-centric vs portal-centric InCommon-managed metadata supports direct interaction between IdPs and SPs E-auth portal mediates flow, adds user navigation and LoA adaptation point

  8. Alignment points 3 technology: SAML and profiles InCommon specifies minimal Shib profile of SAML 1.1 E-Auth specifies extensive profile on top of SAML 1.0(also supports cert authentication for higher LoAs) intend to converge on SAML 2.0

  9. NSF FastLane via E-Auth FastLane: a good first application used by 300,000 HE users, PIs and research admins early E-Auth participant assessed at Level 1 NSF seeking process improvement Process: 4 campuses get CAFed, deploy Shib 1.3, join E-A NSF deploys E-Auth capable FastLane campus users “account link” once by authenticating via E-A, entering old account/password

  10. Campus Compliance Issues Level 1 is pretty easy be a real organization, with basic docs have a user database (but no ID proofing reqts) run a secure authentication system Password-guessing protection is the hurdle system should protect against brute-force guessing implies guessing-limitation, -monitoring, lockout none of participant campuses doing this today various plans: monitor, remove e-auth authz only need apply to E-Auth application users

  11. E-Auth support in Shibboleth Shibboleth protocol interaction is SAML 1.1 with various choices to enable interop, eg name formats, common attributes, metadata, req message demonstrated interop with other SAML 1.1 products E-Auth/SAML is today a profile of SAML 1.0 using Artifact method, attribute push, etc Shibboleth version 1.3 supports E-Auth profile can run in parallel with traditional Shib profile motivated changes in IdP structure Shib 1.3 SP intended to be compliant too

  12. SAML 2 SAML 1.x doesn't cover many interop elements SAML 2.0 covers the waterfront authentication request logout identifier management WS-Federation SAML alternative promoted by some big vendors will it be brought into E-Auth approved tech space?

  13. US person schema motivated by HE interest in attribute-based authorization for E-Auth modeled on Educause/Internet2 eduPerson spec and its use in Shibboleth and InCommon not list of attributes, but framework on which agency/app definitions can be built not just SAML, but generic information model, mapped to LDAP, SAML, XML provisioning starting by looking at improved processes for NSF, USDA applications, using campus-sent attributes,also national schema efforts from EU countries ambitious? yes ... proposal due June 2006

  14. E-Auth and InCommon peering E-Auth doesn't want 1000 university members or 1000 banks, or anything else rather, wants to peer with federations in these industry sectors federation peering is new territory though some prior reusable work in PKI Bridge CA interop/mapping

  15. Conclusion E-Authentication is strong standardizing factor in many industry sectors US HE is working to ensure that E-Auth meets our needs

More Related