Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Step-up authentication requirements and guidelines for SPs

Summary

This document collects use-cases and requirements from the communities to describe the current state of the field.

The goal is to also derive a common pattern to guide future implementations of Step-up authentication.

Whether OIDC RPs will be targeted is not clear yet.

Working docs

Google-Doc: https://docs.google.com/document/d/1R24xKC-cC7sLyb13Gr2jxKtlA83_qESrkCorT4PTb74/edit#heading=h.mqa2kjgzxbju

Final PDF

To be published on friday  

Meetings schedule and Minutes

DateLocationAgendaMinutes
2017-07-17-11 13-00 (CEST)https://webconf.vc.dfn.de/aarc-jra1

Discuss documents A, B, C:

  • Table of Contents
  • Key points to mention
We essentially worked inside the documents. Minutes do not make sense at this point
2017-07-28 13:00 (CEST)https://webconf.vc.dfn.de/aarc-jra1Discussion of documents A, B, C

Decided to prioritise document C

Introduced June from RZG, who is liasing for Geant to consume results of our document

Document responsibility handed to Uros,

Finalise Intro: Marcus

2017-11-07 10:00 (CET)

Agreed from now on to use Vidyo room:

https://www.nikhef.nl/grid/video/?m=aarcjra1


Doc discussion

Short review of the doc, and discussion about the future steps.

Discussion about the possible implementations of the step-up:

From the SP point of view, there are 3 use cases:

  • First, if the SP requires having MFA (or step-up of other components), then all IdPs which users are accessing this service need to support and provide MFA, which may be difficult to achieve
  • Second, the SP itself may implement MFA functionality (the actual implementation of this use case was not elaborated at this point)
  • Third (most interesting at this point), there can be IdP-proxy that can provide step-up service (e.g. for MFA)

Possible description of the third use case:

  • User authenticates with the SP and establishes a browser session. The SP then can redirect the user to the predefined IdP-proxy service, where the user can then go through the step-up procedure (e.g. perform MFA). After successful performance of the step-up procedure, the user is redirected back to the SP. SP then can grant access to the user.

Future work:

  • Pinging Stefan for SafeShare chapter: Uros
  • Review old comments and try to resolve them: Uros
  • Create initial drawing of the third use case, on lucidchart: Uros
  • For everyone: going through the doc, and fix current issues
2017-12-05 10:00 (CET)https://www.nikhef.nl/grid/video/?m=aarcjra1Discuss evolution of SuA documents

There will be three documents:

  1. Authentication-step-up:
  2. AuthN-freshness-step-up:
  3. General assurance elevation:
  4. Experiences of the pilot...
2018-01-16 10:00 (CET)https://www.nikhef.nl/grid/video/?m=aarcjra1Followup on Step-Up and other documentsWe agreed to put all definitions to the AARC1-JRA1-Terms and definitions google doc at https://docs.google.com/document/d/18AllfUKLi90f1odm6hINkQvRljbFhy9lfkY1M447uBQ
2018-01-30 10:00 (CET)https://www.nikhef.nl/grid/video/?m=aarcjra1Finalise Step-up document

Received various comments from Mikael, Jens and Mischa

Will include step-up flows from a Geant doc of Christos (Second factor authentication component for the Life Science AAI)

Will have Session at TIIME to discuss final document

Marcus will circulate a close-to-final version on Wednesday

2018-02-13 10:00 (CET)https://www.nikhef.nl/grid/video/?m=aarcjra1Finalise Step-up document

Received comments on close-to-final version

Discussed comments

Marcus will circulate a 'pretty-final' (=closer-to-final) version on Wednesday

The call was missing partners from

  • EGI
  • PSNC
    • Surfnet
2018-03-06 10:00 (CET)https://www.nikhef.nl/grid/video/?m=aarcjra1Finalise Step-up document

Move sections 2 and 4 to appendix

Open consultation about the recommendations

  • No labels