70 likes | 199 Views
Campus Identity Management Requirements (=IAP). REFEDs meeting 7.6.2009 Mikael Linden, mikael.linden@csc.fi. Two aspects for Campus IdM. Campus IdM = the IdM system feeding the IdP with identities (technics+processes) Traditional LoA: Level of Assurance for Authentication
E N D
Campus Identity Management Requirements (=IAP) REFEDs meeting 7.6.2009 Mikael Linden, mikael.linden@csc.fi
Two aspects for Campus IdM • Campus IdM = the IdM system feeding the IdP with identities (technics+processes) • Traditional LoA: Level of Assurance for Authentication • Initial identity proofing, credential quality etc • NIST 800-63 and EU IDABC/STORK covers only this • Attribute quality (especially, those for authorisation) • ePA=”student” (Has s/he graduated but accounts not closed?) • ePEntitlement=… (Has s/he changed his/her project but entitlement not cancelled?) • Out of scope for NIST 800-63
Implementing Campus IdM • Supplemented by manual processes HR registry Studentregistry Base RegistriesNew identities MetadirectorySyncronise attributes Enterprise directory Unix mail IdP etc Relying systemsoperating systems, applications
Why Campus IdM quality? It Increases Trust! • Earlier poor Campus IdM quality was an internal problem for universities • Now also the federation SPs suffer form it • SPs want to know there is a floor for IdM quality in any IdP Requirements coming, e.g. (”community of practice”) • TERENA Grid Certificate Service Project • CLARIN project
The floor and the steps HigherLoAlevel HigherLoAlevel (e.g. indicatedusing SAML authenticationContext) The IdMqualityfloor EveryIdP in a federation needs to fulfil Hierarchicalornot? What is easyenough to fly?
Assuring the CIdM quality with audits Who makes? • Self-audit • E.g. checklists, questionnaires that home organisations fill in • The federation operator checks the answers • Peer audit • As above, but joining home organisations audit each others • External audit • External auditor makes the audit (1000 EUR a day) When? • When an IdP is registered to the federation • Reqular re-audits?
The Haka way • Common knowledge: some universities in Finland didn’t bother to close accounts for departing users • When Haka policy was outlined, Haka steering group insisted • First do your homework and clean the Campus IdM • Then register your IdP to Haka • Federation operator has published • Minimum requirements • A questionnaire for self-audithttp://www.csc.fi/english/institutions/haka/registration/idm-description • IdP-wannabe fills in and publishes the questionnaire • Haka federation checks that minimum requirements are fulfilled