Step up/AA service
AAF - LoIR
LoIR was the outcome of a project to enhance the current AAF service offering and develop a system to provide higher levels of identity assurance. A number of potential AAF Service Providers have indicated that they will need to provide access to cohorts of their end users who have been given a higher level of identity assurance.
You can find details about the project here. The service is still active and can be found here.
The screen basically tells the use how they go about getting their LoA increased, who to contact, etc. There is also an administrative options for RAs who can perform various tasks to users within their organisation, for instance increase the users LoA. The system only records the value of user's LoA, it does not record any documents, evidence or proof of identity, this is the responsibility of each RA and their organisations. LoIR then provides an Attribute Authority which SPs can use to query users LoA as part of the normal authentication workflow. The eduPersonAssurance attribute will be populate with value assigned to the user. The system was aimed at Universities that had their policies and practices in place but did not have a technical solution to provisioning eduPersonAssurance values into their identity systems. They could then use LoIR to store the results of the user's identity verification. The software is currently in a private repository, I'm not sure of its open source status, most software we develop eventually becomes open source.
SWAMID - eduID
2. For simplicity, SWAMID can not use Govt e-ID solution. (not entirely true but I would need quicker fingers to explain..) eduID is offering a API for univ to integrate their own OTP-solution, and as of next year eduID will offer U2F.
4. This is what eduID is offering with OTP today. The complex question that we ran into here is the binding (vetting) of the second factor to the individual. There is little to no value in providing a universal step up service unless the organisation that "owns" the user can securely know which tokens the user has.
5. The govt runs an admission service for the whole hi-ed sector (see https://www.universityadmissions.se/intl/start). This service needs something like AL2, so around 200.000 users EACH YEAR gets some sort of AL2-account here. 5.1 costs.. Depends how you count. If we would do it again or coach someone in doing it it would be less. SWAMIDs costs to get ONLY eduID to Kantara AL2 was somewhere between 20-50k€
Maturity Templates
SURFnet: Doc (in Dutch)
- Simple (Single?) Sign On
- How many systems/applications can be used with the account, authentication, identities in the organisation
- Authorization
- How many systems/applications can be authorized with the account, roles/groups, central or decentral, types of groups/roles, differenciate between identities
- Source system
- which/how many source systems are used, manual input with documentation, one leading system, add attributes/information for SP
- Policies?
- for authorization, authentication, provisioning, standardisation, FIM, privacy; responsibilities for them; architecture; security policy; password policy; lifecycle for accounts; how often is FIM updated; how often are policies updated; are those policies in use; monitoring and updating policies
- Processes and procedures
- processes for new users, rules for username and email, verification of the identity, lifecycle, process how data is given to a third party, process to generate new passwords, how often is the data updated, reviews and reports, conclusions from reports and reviews
- IdP System
- standardised, which standard, availability, when available
- Quality of data
- correctness, completeness, change management of data, verification of data with external databases/systems
- Implementation of processes and procedures
- clearly described, monitoring, ?, legal entity?
- Security
- awareness, audits, intrusion tests, classified, actions, data protection, logfiles
haka: Excel file (in English)
- Inventory of Authorized and Unauthorized Devices
- responsibility for information asset, assets clearly identified and documented
- Secure Configurations for Software on Workstations and Servers
- documentation available for the IdP configuration, documentation available with commands for starting and stopping the IdP together with test procedures to verify that the service started correctly, database behind firewall, documentation for software configuration changes, use of unsecure protocols prevented, configuration assessment programs executed regularly
- Boundary Defense & Secure Configurations for Network Devices
- firewall rules defined to allow only traffic defined in configuration documentation, IdP in DMZ, internal and external zones, IDS, IPS, automated ports scans executed regularly, management interfaces seperated
- Maintenance, Monitoring, and Analysis of Security Audit Logs
- monitoring system + logs, automated alterting messages, reports, checks that no personal data is logged to avoid privacy issues, automation
- Application Software Security
- assertion lifetime, singature check of metadata, private keys only readable by necessary services needed by IdP, new key pair at least every three year, application firewall, anti-malware protection, help desk
- Controlled Use of Administrative Privileges
- remote root or admin logins forbidden, default passwords changed
- Controlled Access Based on the Need to Know
- description of IM of IdP, unique identities, verification, shared secrets, password policy, minimum password length, password complexity enforcement, password lifetime, passwords by secure channels, strong authentication
- Continous Vulnerability Assessment and Remediation
- vulnerabilitiy scanning tools, critical updates, up-to-date metadata
- Account Monitoring and Control
- statistics on authentications, accounts disabled, statistics on SPs, regularity of statistics
- Privacy
- legal & contractual compliance, User acceptance, consent of end users, due notification in changes of the service are in place, privacy policy service
- Data Recovery & Incident Response Capability
- backup copies, restore procedure tested, backups in secure location, incident response procedures, known what should be done in the case of a compromize of the certificate private key
- Security Skills Assessment and Appropriate Training
- procedure defined to educate the IdP administrators and trained staff
Recommendations
SWAMID - eduID
InCommon and their IdPs
IdPs in WAYF because of audits