Versions Compared

Old Version 6

changes.mady.by.user Daniela Pöhn

Saved on

compared with

New Version Current

changes.mady.by.user Peter Brand

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: add wiki link

...

5. The govt runs an admission service for the whole hi-ed sector (see https://www.universityadmissions.se/intl/start). This service needs something like AL2, so around 200.000 users EACH YEAR gets some sort of AL2-account here. 5.1 costs.. Depends how you count. If we would do it again or coach someone in doing it it would be less. SWAMIDs costs to get ONLY eduID to Kantara AL2 was somewhere between 20-50k€

Maturity Templates

SURFnet: Doc (in Dutch)

  • Simple (Single?) Sign On
    • How many systems/applications can be used with the account, authentication, identities in the organisation
  • Authorization
    • How many systems/applications can be authorized with the account, roles/groups, central or decentral, types of groups/roles, differenciate between identities
  • Source system
    • which/how many source systems are used, manual input with documentation, one leading system, add attributes/information for SP
  • Policies?
    • for authorization, authentication, provisioning, standardisation, FIM, privacy; responsibilities for them; architecture; security policy; password policy; lifecycle for accounts; how often is FIM updated; how often are policies updated; are those policies in use; monitoring and updating policies
  • Processes and procedures
    • processes for new users, rules for username and email, verification of the identity, lifecycle, process how data is given to a third party, process to generate new passwords, how often is the data updated, reviews and reports, conclusions from reports and reviews
  • IdP System
    • standardised, which standard, availability, when available
  • Quality of data
    • correctness, completeness, change management of data, verification of data with external databases/systems
  • Implementation of processes and procedures
    • clearly described, monitoring, ?, legal entity?
  • Security
    • awareness, audits, intrusion tests, classified, actions, data protection, logfiles

haka: Excel file (in English)

...

Moved to Maturity Template page

AARC

Early findings:

•Accounts belong to a known individual (i.e. no shared accounts)
•Persistent identifiers (i.e. are not re-assigned)
•Documented identity vetting (not necessarily F2F)
•Password authN (with some good practices)
•Departing user’s account closes/ePA changes promptly
•Self-assessment (supported with specific guidelines)

Questions to the floor:

•Do we want to include incident response stuff (NA3.2) here?
•Do we want to include attribute release requirements?
•Do we want to include wider information security requirements?

We develop and pilot a tool which

•Is an eduGAIN SP to which any eduGAIN IdP admin can log in
•Presents structured self-assessment questions to the IdP/IdM admin
•Quantitive: (”do accounts belong to an individual”)
•Qualitative: (”explain how you ensure accounts belong to an individual”)
•Publishes the results for anyone to read
•Evaluates if the LoA minimum is fulfilled
•Spits an Entity Category tag to eduGAIN metadata for the IdP
•Can we do that centrally?
•Asks the IdP admin to re-evaluate every year
•Can assist in the LoA peer-review
•If peer review becomes a requirement e.g. for a higher LoA level

...


Recommendations

SWAMID - eduID

...