Presentation is loading. Please wait.

Presentation is loading. Please wait.

E-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007.

Published byBaldwin Emil Horn Modified over 8 years ago

Similar presentations

Presentation on theme: "E-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007."— Presentation transcript:

1 e-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007

2 What is Meteor? Web-based universal access channel for real-time inquiry of financial aid information Web-based universal access channel for real-time inquiry of financial aid information Aggregated information to assist Financial Aid Professionals, students and borrowers with debt counseling and the aid process in general Aggregated information to assist Financial Aid Professionals, students and borrowers with debt counseling and the aid process in general Collaborative effort of leading FFELP providers Collaborative effort of leading FFELP providers Freely available software and access to the network Freely available software and access to the network

3 The Meteor Project Components The Meteor Software The Meteor Software The Meteor Network The Meteor Network The Meteor Federation The Meteor Federation

4 Meteor Software Features Information from multiple data providers is aggregated in real-time to assist the FAP and the borrower with the financial aid process, repayment and default aversion. Information from multiple data providers is aggregated in real-time to assist the FAP and the borrower with the financial aid process, repayment and default aversion. Meteor is a collaborative effort utilizing leading-edge technology and access is provided at no charge. Meteor is a collaborative effort utilizing leading-edge technology and access is provided at no charge.

5 Meteor Software Features Access timely, student-specific financial aid information from multiple sources Access timely, student-specific financial aid information from multiple sources One-stop, common, online customer service resource One-stop, common, online customer service resource

6 Types of Data Available FFELP FFELP Alternative/Private Loans Alternative/Private Loans State Grants & Scholarships (Planned) State Grants & Scholarships (Planned) Perkins (In development) Perkins (In development) Direct Loans (Planned) Direct Loans (Planned) Pell Grants (Planned) Pell Grants (Planned)

7 The Meteor Network Meteor Meteor Federated Model: Transitive Trust Federated Model: Transitive Trust Multiple points of access Multiple points of access User Roles User Roles School School Student/Borrower Student/Borrower Customer Service Representatives Customer Service Representatives Lenders Lenders

8 Use of data approved by FSA FSA approval for use of real-time data FSA approval for use of real-time data Collaborative effort to bring about change to the requirements for schools to solely rely on NSLDS Collaborative effort to bring about change to the requirements for schools to solely rely on NSLDS Allows schools to resolve discrepancies by using real time data that comes directly from the loan holders databases Allows schools to resolve discrepancies by using real time data that comes directly from the loan holders databases

9 One Two Access Provider Data Providers Student/Borrower or Financial Aid Professional or Access Provider Representative or Lender Three Index Provider Users Federated Authentication Process The Meteor Process

10 E-Authentication The MAT worked with the Shibboleth project, a project of Internet2/Mace, in developing architectures, policy structures, practical technologies, and an open source implementation to support inter-agency sharing of web resources. The MAT worked with the Shibboleth project, a project of Internet2/Mace, in developing architectures, policy structures, practical technologies, and an open source implementation to support inter-agency sharing of web resources. Shibboleth project participants include Brown University, Ohio State, Penn State and many other colleges and universities. Shibboleth project participants include Brown University, Ohio State, Penn State and many other colleges and universities.

11 Building Trust and Integrity Building Trust and Integrity The Meteor Advisory Team sought input and expertise regarding privacy and security from the sponsoring organizations and the NCHELP Legal Committee. The Meteor Advisory Team sought input and expertise regarding privacy and security from the sponsoring organizations and the NCHELP Legal Committee. Analysis was provided in relation to Gramm- Leach-Bliley Act (GLBA), and individual state privacy laws. Analysis was provided in relation to Gramm- Leach-Bliley Act (GLBA), and individual state privacy laws. The analysis revealed that Meteor complied with both GLB and known state privacy provisions. The analysis revealed that Meteor complied with both GLB and known state privacy provisions.

12 Building Trust and Integrity Building Trust and Integrity Federated model of authentication Federated model of authentication Meteor Participant Certification Meteor Participant Certification Conditions of Use Conditions of Use Authentication protocol review Authentication protocol review Use of Data Exception Policy Use of Data Exception Policy

13 Reliability and Security Data is sent directly from the data provider’s system and is not altered in any way within Meteor Data is sent directly from the data provider’s system and is not altered in any way within Meteor All data is electronically transmitted securely using SSL encryption All data is electronically transmitted securely using SSL encryption Independent Audit showed no serious vulnerabilities Independent Audit showed no serious vulnerabilities

14 Provide a flexible, easy to implement authentication system that meets the needs of the provider organizations and their customers. Provide a flexible, easy to implement authentication system that meets the needs of the provider organizations and their customers. Ensure compliance with the Gramm-Leach- Bliley Act (GLBA), federal guidelines, and applicable state privacy laws. Ensure compliance with the Gramm-Leach- Bliley Act (GLBA), federal guidelines, and applicable state privacy laws. Meteor’s Authentication Objectives

15 Assure data owners that only appropriately authenticated end users have access to data. Assure data owners that only appropriately authenticated end users have access to data. Ensure compliance to participant organizations internal security and privacy guidelines. Ensure compliance to participant organizations internal security and privacy guidelines. Meteor’s Authentication Objectives

16 Authentication No central authentication process No central authentication process Utilizes transitive trust model Utilizes transitive trust model Each Access Provider uses their existing authentication model (single sign-on) Each Access Provider uses their existing authentication model (single sign-on) Level of trust assigned at registration Level of trust assigned at registration

17 The Meteor Authentication Model Each Access Provider uses their existing authentication model (single sign-on) Each Access Provider uses their existing authentication model (single sign-on) Meteor levels of assurance are assigned at registration Meteor levels of assurance are assigned at registration Level 0 (Unique ID) Level 0 (Unique ID) Level 1 (Unique ID & 1 piece of validated public data) Level 1 (Unique ID & 1 piece of validated public data) Level 2 (Unique ID & 2 pieces of validated public data) Level 2 (Unique ID & 2 pieces of validated public data) Level 3 (Unique/User ID & shared secret) Level 3 (Unique/User ID & shared secret) Meteor Level 3 complies with the NIST Level 2 Meteor Level 3 complies with the NIST Level 2

18 User is required to provide an ID and a shared secret. User is required to provide an ID and a shared secret. Assignment and delivery of shared secret must be secure. Assignment and delivery of shared secret must be secure. Assignment of shared secret is based on validated information. Assignment of shared secret is based on validated information. Reasonable assurances that the storage of the IDs and shared secrets are secure. Reasonable assurances that the storage of the IDs and shared secrets are secure. Meteor’s Authentication Requirements

19 Access provider must ensure appropriate authentication for each end user and provide traceability back to that user Access provider must ensure appropriate authentication for each end user and provide traceability back to that user Access provider must provide authentication policy to central authority Access provider must provide authentication policy to central authority Access provider must provide central authority with 30 day advance notice of changes to authentication policy Access provider must provide central authority with 30 day advance notice of changes to authentication policy Access provider must agree to appropriate use of data Access provider must agree to appropriate use of data E-Authentication Policies

20 End user authenticates at access provider site or through a Meteor approved third party Authentication Agent End user authenticates at access provider site or through a Meteor approved third party Authentication Agent Access provider creates authentication assertion (SAML) Access provider creates authentication assertion (SAML) Access provider signs authentication assertion with digital certificate Access provider signs authentication assertion with digital certificate Control is passed to Meteor software Control is passed to Meteor software The Meteor Authentication Process

21 Index and data providers verify assertion using the access provider’s public key stored in the registry. Index and data providers verify assertion using the access provider’s public key stored in the registry. End user is provided access to the aggregated data End user is provided access to the aggregated data The Meteor Authentication Process

22 Role of end user Role of end user Social Security Number Social Security Number Authentication Process ID Authentication Process ID Level of Assurance Level of Assurance Opaque ID Opaque ID School OPEID (Summer 2007) School OPEID (Summer 2007) SAML Assertion Attributes

23 Current Status 1 Index Provider 1 Index Provider 20 Data Providers 20 Data Providers 15 Access Providers 15 Access Providers 1 Authentication Agent 1 Authentication Agent

24 Meteor Usage Meteor Usage Meteor Usage FAA Statistics FAA Statistics Usage has been increasing since FSA announcement about use of real time data Usage has been increasing since FSA announcement about use of real time data Borrower Statistics Borrower Statistics Meteor…not just an inquiry network Meteor…not just an inquiry network In addition to providing access to and aggregation of financial aid award information, the Meteor software can also be used by organizations to enhance their current services. In addition to providing access to and aggregation of financial aid award information, the Meteor software can also be used by organizations to enhance their current services. MYF integration MYF integration Internal usage of the software at member organizations Internal usage of the software at member organizations

25 Authentication and Authorization Authentication is the process of determining the identity of a user that is attempting to access a system. Authentication is the process of determining the identity of a user that is attempting to access a system. Authorization is the process of determining what types of activities are permitted. Authorization is the process of determining what types of activities are permitted.

26 Authentication and Authorization Once you have authenticated a user, they may be authorized different types of access or activity. Once you have authenticated a user, they may be authorized different types of access or activity. Meteor Roles Meteor Roles Financial Aid Professional Financial Aid Professional Student/Borrower Student/Borrower Customer Service Customer Service Lender Lender

27 Authentication Process: Student logs into Access Provider site (i.e. school, lender, servicer or guarantor) Student logs into Access Provider site (i.e. school, lender, servicer or guarantor) Access Provider authenticates student Access Provider authenticates student Access Provider messages the Meteor Registry for validation, attaching the security assertion Access Provider messages the Meteor Registry for validation, attaching the security assertion Registry validates the provider and sends the request to the Meteor Index for processing. Registry validates the provider and sends the request to the Meteor Index for processing. The index identifies potential data providers who receive a message including the security assertion The index identifies potential data providers who receive a message including the security assertion Data providers return data to the access provider provided that the applicable authentication level meets their requirements. Data providers return data to the access provider provided that the applicable authentication level meets their requirements.

28 What’s Next? Continue to monitor the development of XML, transport and authentication standards Continue to monitor the development of XML, transport and authentication standards Review of multi-layer authentication Review of multi-layer authentication Clock synchronization across the network for timing out of assertions for additional security Clock synchronization across the network for timing out of assertions for additional security Alignment with the NIST levels of assurance Alignment with the NIST levels of assurance

29 Contact Information Tim Cameron Meteor Project Manager NCHELP703-969-8565 meteor@nchelp.org

Download ppt "E-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007."

Similar presentations

Where Did My Loan Go? Presenters: Amy Kerwin Great Lakes Higher Education Guaranty Corporation Tim Cameron National Council of Higher Education Loan Programs.

Where Did My Loan Go? Presenters: Amy Kerwin Great Lakes Higher Education Guaranty Corporation Tim Cameron National Council of Higher Education Loan Programs.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Presented by: Doug Falk National Student Clearinghouse Student Access to Federal Loan Data and Other Online Student Services.

Presented by: Doug Falk National Student Clearinghouse Student Access to Federal Loan Data and Other Online Student Services.
Split Servicing: Tools and Strategies to Help Track and Manage Debt Presented by: Tim Cameron The Meteor Project Manager National Council of Higher Education.

Split Servicing: Tools and Strategies to Help Track and Manage Debt Presented by: Tim Cameron The Meteor Project Manager National Council of Higher Education.
Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.

Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
Department of Labor HSPD-12

Department of Labor HSPD-12
5 th Annual Conference on Technology & Standards April 28 – 30, 2008 Hyatt Regency Washington on Capitol Hill www.PESC.org Electronic Data Exchange Standards.

5 th Annual Conference on Technology & Standards April 28 – 30, 2008 Hyatt Regency Washington on Capitol Hill Electronic Data Exchange Standards.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Electronic Status Reporting for Lenders FSA Guaranteed Loan System.

Electronic Status Reporting for Lenders FSA Guaranteed Loan System.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
NDSU Lunchbytes Are They Really Who They Say They Are? Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,

NDSU Lunchbytes "Are They Really Who They Say They Are?" Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,
EAuthentication in Higher Education Tim Bornholtz Session 58.

EAuthentication in Higher Education Tim Bornholtz Session 58.

Similar presentations

Ads by Google