Step up/AA service

AAF - LoIR

LoIR was the outcome of a project to enhance the current AAF service offering and develop a system to provide higher levels of identity assurance. A number of potential AAF Service Providers have indicated that they will need to provide access to cohorts of their end users who have been given a higher level of identity assurance.

You can find details about the project here. The service is still active and can be found here.

The screen basically tells the use how they go about getting their LoA increased, who to contact, etc. There is also an administrative options for RAs who can perform various tasks to users within their organisation, for instance increase the users LoA. The system only records the value of user's LoA, it does not record any documents, evidence or proof of identity, this is the responsibility of each RA and their organisations. LoIR then provides an Attribute Authority which SPs can use to query users LoA as part of the normal authentication workflow. The eduPersonAssurance attribute will be populate with value assigned to the user. The system was aimed at Universities that had their policies and practices in place but did not have a technical solution to provisioning eduPersonAssurance values into their identity systems. They could then use LoIR to store the results of the user's identity verification. The software is currently in a private repository, I'm not sure of its open source status, most software we develop eventually becomes open source.

SWAMID - eduID

2. For simplicity, SWAMID can not use Govt e-ID solution. (not entirely true but I would need quicker fingers to explain..) eduID is offering a API for univ to integrate their own OTP-solution, and as of next year eduID will offer U2F.

4. This is what eduID is offering with OTP today. The complex question that we ran into here is the binding (vetting) of the second factor to the individual. There is little to no value in providing a universal step up service unless the organisation that "owns" the user can securely know which tokens the user has.

5. The govt runs an admission service for the whole hi-ed sector (see https://www.universityadmissions.se/intl/start). This service needs something like AL2, so around 200.000 users EACH YEAR gets some sort of AL2-account here. 5.1 costs.. Depends how you count. If we would do it again or coach someone in doing it it would be less. SWAMIDs costs to get ONLY eduID to Kantara AL2 was somewhere between 20-50k€

Maturity Templates

Moved to Maturity Template page

AARC

Early findings:

•Accounts belong to a known individual (i.e. no shared accounts)
•Persistent identifiers (i.e. are not re-assigned)
•Documented identity vetting (not necessarily F2F)
•Password authN (with some good practices)
•Departing user’s account closes/ePA changes promptly
•Self-assessment (supported with specific guidelines)

Questions to the floor:

•Do we want to include incident response stuff (NA3.2) here?
•Do we want to include attribute release requirements?
•Do we want to include wider information security requirements?

We develop and pilot a tool which

•Is an eduGAIN SP to which any eduGAIN IdP admin can log in
•Presents structured self-assessment questions to the IdP/IdM admin
•Quantitive: (”do accounts belong to an individual”)
•Qualitative: (”explain how you ensure accounts belong to an individual”)
•Publishes the results for anyone to read
•Evaluates if the LoA minimum is fulfilled
•Spits an Entity Category tag to eduGAIN metadata for the IdP
•Can we do that centrally?
•Asks the IdP admin to re-evaluate every year
•Can assist in the LoA peer-review
•If peer review becomes a requirement e.g. for a higher LoA level


Recommendations

SWAMID - eduID

InCommon and their IdPs

IdPs in WAYF because of audits

  • No labels