Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State University Board of Trustees
Federation Federated Identity – Shibboleth – Identity provider (IdP) – your home institution – Authentication using IdP-provided credential extending beyond your IdP’s boundary, e. g. for access to a resource at another institution or external organization, i.e. Service Provider (SP) – Attributes released to SP – Requires trust between SP and IdP Federation – InCommon – Organization made up of identity providers, service providers, and other interested parties – Pre-establish a trust framework © Michigan State University Board of Trustees
Levels of Assurance NIST – “Electronic Authentication Guideline” – Levels Measure of reliability of a credential Identity proofing, strength of authentication technology, general best practices for security and identity management Use cases -- Federal grants InCommon Identity Assurance – InCommon Technical Advisory Committee – Identity Assurance Assessment Framework – Bronze/Silver Identity Assurance Profiles
CIC InCommon Silver Project CIC Identity Management, CIC Auditors – At the behest of the CIC CIOs Assert Silver LOA for at least some of our users by Fall, 2011 InCommon Technical Advisory Committee is participating Drivers for doing it as a CIC project – Share the work – Influence the TAC and upcoming drafts of the IAP Renee Shuey of Penn State is leading MSU team: – Steve Kurncz, Internal Audit – Matt Kolb, Academic Technology Services, – Jim Green, Academic Technology Services
InCommon Silver Assessment Factors Audit requirement General best practices – Risk management, configuration management, DR – Network security, physical security – Policies – privacy, terms and conditions, account revocation – Policies, processes, practices documented Identity verification – In person verification of DL or passport linked to credential Strong passwords and password rules – NIST entropy calculation -- – 2 factor authentication can mitigate – Forgot password process must be just as strong And …
Issues Scope Documentation lacking Need a new process – ID Office Passwords in clear text Password policies – Two factor authentication – Stronger rules for Silver users only
Resources Shibboleth -- InCommon Identity Assurance – ce/ ce/ NIST /SP800-63V1_0_2.pdf -63/SP800-63V1_0_2.pdf
Contact Jim Green Identity Management Academic Technology Services Phone: