...
5. The govt runs an admission service for the whole hi-ed sector (see https://www.universityadmissions.se/intl/start). This service needs something like AL2, so around 200.000 users EACH YEAR gets some sort of AL2-account here. 5.1 costs.. Depends how you count. If we would do it again or coach someone in doing it it would be less. SWAMIDs costs to get ONLY eduID to Kantara AL2 was somewhere between 20-50k€
Maturity Templates
SURFnet: Doc (in Dutch)
- Simple (Single?) Sign On
- Authorization
- Source system
- Policies?
- Processes and procedures
- IdP System
- Quality of data
- Implementation of processes and procedures
- Security
haka: Excel file (in English)
...
Moved to Maturity Template page
AARC
Early findings:
•Accounts belong to a known individual (i.e. no shared accounts)
•Persistent identifiers (i.e. are not re-assigned)
•Documented identity vetting (not necessarily F2F)
•Password authN (with some good practices)
•Departing user’s account closes/ePA changes promptly
•Self-assessment (supported with specific guidelines)
Questions to the floor:
•Do we want to include incident response stuff (NA3.2) here?
•Do we want to include attribute release requirements?
•Do we want to include wider information security requirements?
We develop and pilot a tool which
•Is an eduGAIN SP to which any eduGAIN IdP admin can log in
•Presents structured self-assessment questions to the IdP/IdM admin
•Quantitive: (”do accounts belong to an individual”)
•Qualitative: (”explain how you ensure accounts belong to an individual”)
•Publishes the results for anyone to read
•Evaluates if the LoA minimum is fulfilled
•Spits an Entity Category tag to eduGAIN metadata for the IdP
•Can we do that centrally?
•Asks the IdP admin to re-evaluate every year
•Can assist in the LoA peer-review
•If peer review becomes a requirement e.g. for a higher LoA level
...
Recommendations
SWAMID - eduID
...