1. https://aarc-project.eu Authentication and Authorisation for Research and Collaboration David Groep EUGridPMA 35 Amsterdam meeting Developments in scalable negotiation and assurance Policy Harmonisation and Best Practices 8 September 2015 AARC NA3 Activity Lead Nikhef, Physics Data Processing Group

2. https://aarc-project.eu Many groups and (proposed) policies, but leaving many open issues AARC “NA3” is tackling a sub-set of these “Levels of Assurance” – a minimally-useful level and a differentiated set, for ID and attributes “Incident Response”– encouraging ‘expression’ of engagement by (federation) partners and a common understanding “Sustainability models and Guest IdPs”– how can a service be offered in the long run? “Scalable policy negotiation” – beyond bilateral discussion (and more IGTF style ?) “Protection of (accounting) data privacy” – aggregation of PI-like data in collaborative infrastructures of these some are of direct relevance to the IGTF community for the others: join an AARC open meeting! 2 The Policy Puzzle IGTF SCI REFEDS FIM4R GN4 AARC SIRTFI... and thanks to all AARC folk for their work – esp. Mikael Linden, Dave Kelsey, Martin Haase, Peter Gietz; and to Daniela Pöhn of LRZ/GN4

3. https://aarc-project.eu Plenty of ‘definitions’ in commercial/gov space for identity providers NIST Kantara eIDAS (new draft) VoT (new draft https://tools.ietf.org/html/draft-richer-vectors-of-trust-01)https://tools.ietf.org/html/draft-richer-vectors-of-trust-01 For the R&E community our own (CA-RP-inspired) Generalised LoA ‘step-up’ authentication initiatives Federation “identity management practice statements” (instead of external audits) plus many community and national ones, see https://www.iana.org/assignments/loa-profiles/https://www.iana.org/assignments/loa-profiles/ But also Entity Categories (“R&S”) and CoCo are akin to LoA definitions – but then ‘reversed’ to apply (mostly) to service providers 3 IAssurance Level Landscape & activities

4. https://aarc-project.eu Like NIST and Kantara mix of vetting assurance and authenticator qualities 4 eIDAS draft as of June 24 th at CMTD(2015)0720 See http://ec.europa.eu/transparency/regcomitology/index.cfm?do=search.documentdetail&jl9SmYIxaiPrPBeTK5Qyrmy+JAT8XSUYZ4c3fEwWtPjVqHZGdIwy2rS97ztb5t8bhttp://ec.europa.eu/transparency/regcomitology/index.cfm?do=search.documentdetail&jl9SmYIxaiPrPBeTK5Qyrmy+JAT8XSUYZ4c3fEwWtPjVqHZGdIwy2rS97ztb5t8b eIDAS LoALoA=lowLoA=substantialLoA=high Application and registrationApplicant aware of terms, security precautions etc… <- same ID proofing and verificationDelivery to home address, exists in authorative registry Perform a bank transaction etcPhotoID face2face AuthN meansPassword2 factor2 factor + HSM Issuance, delivery, activationMailSecure delivery (Registered mail)Secure delivery + activation Suspension, revocation, reactivation Timely by authorised person<-same Reneval, replacementAs initial delivery<-same<-same + verification from authorative registry Authentication mechanismProtection against guessing, etc.Dynamic authenticationPKI… Management, information security, audits … Summary by Mikael Linden, CSC

5. https://aarc-project.eu Core Components 2.1. Identity Proofing 2.2. Primary Credential Usage 2.3. Primary Credential Management 2.4. Assertion Presentation “For example, the vector value "P1.C3.A2" translates to pseudonymous, proof of shared key, signed back-channel verified token in the context of this specification's definitions” In SAML a VoT vector is communicated as an AuthenticationContextClassRef OpenID Connect: “{ "vtr": ["P1.C2.C3.A2", "C5.A2"] }” 5 VoT Vectors of Trust

6. https://aarc-project.eu What do relying parties need, and what can IdPs provide? R&E federations and their IdPs looking at the ‘service aspect’ of providing assurance https://wiki.geant.org/display/gn41sa5/1.4+Service+Aspects+of+Assurance https://wiki.geant.org/display/gn41sa5/1.4+Service+Aspects+of+Assurance AARC (through surveys and FIM4R) looking at immediate and longer-term need by SPs and RPs https://wiki.geant.org/display/AARC/LoA+survey+for+SP+communities https://wiki.geant.org/display/AARC/LoA+survey+for+SP+communities Key challenge is cost of operation, and who bears this cost For the IGTF, this has been partially side-stepped because of close coordination or (funding) links between the IdPs/CAs with the researcher user communities ‘open’ generically provided IdPs tend to die sooner or later LoA capabilities seem closely linked sustainability … 6 LoA requirements and ‘achievability’

7. https://aarc-project.eu Over time, no generic (non-community-based) identity provider seems to survive… ProtectNetwork: changes to a pay-per-use (SPs need to pay $$$ now) Feide OpenIdP: phase out by Jan 1 st, 2016 Since nothing comes really for free many of the IGTF Identity Providers are (co)supported by a national/community group many IGTF core operations supported by the RPs, directly or indirectly 7 Sustainability model

8. https://aarc-project.eu Identity providers who bear the costs have become weary of LoA especially if they are from a country where the Govt pushes rather firmly on formal LoA’s I'm assuming you are comparing "higher" to " existing broadly adopted levels" rather than "existing defined levels". So "higher than CoCo" but not necessarily "higher than InCommon Silver". From an advertising standpoint if nothing else I'd suggest avoiding the term "higher" when talking to US IdPOs. :) -- from the REFEDS list recently (Eric Goodman) 8 ‘Selling’ LoA

9. https://aarc-project.eu Sustainable operating models Who supports such a service? Central national funding, RPs using it, subscribers/user paying a subscription fee, community-centric funding, … Promotion: how to get subscriber/user buy-in (and support for sustainable ops funding) How to support inter-federation? Are there additional issues there? For the homeless users (IdPs of Last Resort or “Guest IdPs”) Policies for ‘homeless user’ accounts lifecycles Policies for translating social network identities into SAML federation users Policies for attribute authorities / gathering user consent Operation model 9 IISustainable models

10. https://aarc-project.eu “many CAs also in our community have gone away or faded …” Your opinions or plans for the future? If your CA were not there, what would you recommend to users as an “identity of last resort”? 10 Is your CA, or ‘guest IdPs’ in general sustainable long-term?

11. https://aarc-project.eu Existing ‘scalable’ policy mechanisms IGTF ‘policy bridge’ distribution … distribution looks rather technology specific though … Geant CoCo, iCoco, REFEDS R&S, and some evaluation of extent to which currently used https://technical.edugain.org/entities.php https://met.refeds.org/ 11 IIIScalable Policies

12. https://aarc-project.eu Gaps or problems to be addressed in R&E federations Federations not exposing IdP to eduGAIN, willing IdPs with metadata re-written by FO How many AARC SPs are in eduGAIN (do we miss loads?) What about SIRTFI trust compliance? Should policies be single global defintions (like CoCo, R&S), or should we prepare for many ‘community trust marks’ (e.g. ‘IGTF ’ could be such a trust mark) There are already some countries that have nationally-scoped entity categories & trustmarks Compare to TACAR – where the registry is neutral but anchors can be ‘qualified’ First thoughts on how to encourage adoption? (we have to address “deployment mechanisms” TNC2015 Attribute Release workshop was very good 12 Scalable policy for R&E

13. https://aarc-project.eu How do we extend to general Attribute Authorities and others? Identification of entities to be classified (non-IdP AA, credential translator, others) What codes of conduct are required? Data Protection? Other operational best practices (IGTF AAOPS Guidelines) Start work on formulate recommendations on the grouping of entities and on the actual deployable mechanisms (for SA1) 13 Beyond identity-only

14. https://aarc-project.eu 14 Questionnaires Identity management services and providers Federation Relying parties and service providers

15. https://aarc-project.eu IdP survey https://wiki.geant.org/display/gn41sa5/IdP+surveyhttps://wiki.geant.org/display/gn41sa5/IdP+survey Federation survey https://wiki.geant.org/display/gn41sa5/Federation+surveyhttps://wiki.geant.org/display/gn41sa5/Federation+survey SP survey https://wiki.geant.org/display/AARC/Level+of+Assurance+survey+for+SP+communities https://wiki.geant.org/display/AARC/Level+of+Assurance+survey+for+SP+communities 15 Current status to be collected

16. https://aarc-project.eu 1.Identity/account concept Account for an individual person (i.e. there are no shared accounts)? If shared: possible to distinguish between individual and shared accounts? If individual account: traceable? Are identifiers persistent? Which unique identifier? 2.Registration and proof of identity What identity vetting process? Face-to-face or different? Documented? Different validation between student, staff or faculty members? How? 3.Online authentication Passwords? Passwords with quality guarantees? What kind of guarantees? Two factor authentication? If yes, which second factor? Is the eID used? If no two factor authentication: How big would be the cost to provide two factor authentication? how widely Home Orgs use government IDs i.e. strong authentication the governments use for authenticating citizens. Major universities in Finland have been doing it for years... Downside is that is costs (some eurocents per authn) and it is the IdP that would pay the bill.. 16 IdP questions

17. https://aarc-project.eu 4.Freshness of user data Are accounts closed as an individual departs? How promptly? Is the eduPersonAffiliation value updated as an individual departs? How promptly? 5.Step-up authentication Step-up authentication means that the user first authenticates with a password, and subsequently with a second factor (such as by an one-time password delivered to his/her cellphone) Would you like to have GÉANT/your NREN to run such a service (if it costs/if it doesn't cost)? How many users would need such a service? 6. Provenance and level of assurance Do you use a level of assurance? Which one? Is the LoA self-asserted? Is everything documented? If not documented: which costs would that be? Internal audits? External audits? If no audits: costs for that? How many users need a (higher) level of assurance? Identity Management Practise Statement? 17 IdP questions (2)

18. https://aarc-project.eu General overview Do you have a LoA (schema) in place and which one? Do you have contracts with IdPs? Do you require an Identity Management Practice Statement? Do you enforce it? Do you require any audits/documentations for IdPs? Level of assurance Have you made any cost analysis for introducing (a higher) LoA? Is a higher LoA want from IdPs? Any experiences, which costs IdPs have to make in order to achieve a specific LoA? Impacts on adopting LoA 18 Federation questions

19. https://aarc-project.eu Who are your end users (who need to log in to your services): researchers with a Home Organisation (that operates or potentially operates an IdP)? citizen scientists? students with a Home Organisation (that operates or potentially operates an IdP)? else/what? 19 SP and relying party-targeted questions

20. https://aarc-project.eu 3.1. Identity concept How important is it for you that … all user identities (accounts in the Home Organisation) belongs to an individual person (i.e. there are no shared accounts like "libraryuser1")? and all users are traceable (i.e. the Home Organization knows who they are and can reach them)? and the Home Organisation is willing to collaborate with you if you think their user misbehaves in your service? that you (as an SP) can block him/her from your service? user identifiers are persistent i.e. a user account is not re-assigned (re-cycled) to another person over time? user identifiers are shared by multiple SPs i.e. if you have 2 SPs, do they both receive the same user identifier when the same user logs in to the two services? 3.2.Initial proof of identity How important is it for you that … the Home Organization has a documented identity vetting process (whatever it is) in English and you can study it? each Home Organisation has a machine-readable tag that indicates how the organization carries out identity proofing and the tag is from a well-defined international vocabulary? each user in a Home Organisation has the above tag and different end users in the same organization can have different tags (depending how their identity was initially proofed)? the identity proofing is done face-to-face based on a government photo-ID or equivalent? 20 SP RP questions

21. https://aarc-project.eu 3.3.On-line authentication Are password-based authentication good enough for you? Should passwords have some kind of quality floor? (What kind of quality floor?) Do you need two factor authentication? (What kind of?) Are you willing to share its costs? 3.4.Step-up authentication as a service Step-up authentication means that the user first authenticates with a password, and subsequently with a second factor (such as by a one-time password delivered to his/her cellphone). Step-up authentication could be delivered to research communities as a service. Would you like to make use of step-up authentication if it costs you money? if it costs you work (for instance, you need to operate one or several registration authorities where your community's users come to show their photo-ID and you record their cellphone number)? 21 SP RP questions

22. https://aarc-project.eu 4. Questions on user attributes Besides an identifier, the Home Organisation's Identity Provider is able to deliver also other attributes of the person that logs in. 4.1. Freshness of user accounts and attributes Many Home Organisations close the user account when an individual departs (e.g. researcher changes his/her employer). Closing the account closes also federated access to your SP. However, some organisations keep the accounts open (e.g. to serve alumni etc). Do you expect that user accounts are closed as a user departs? How promptly? Do you expect that user's role attributes (e.g. eduPersonAffiliation="faculty") value is updated as an individual departs? How promptly? 4.2. Quality/provenance of user data In larger universities the IdP/IdP gathers users' attributes from several registries (payroll system, CRIS system, student registry) with varying data quality. Some attributes can even be self-asserted by the user him/herself. Is it important for you to know the quality/provenance of the user data on the attribute level? What attributes? On what level of granularity? 4.3. Population and release of attributes What are the key attributes Home Organisations should populate for their end users and release to your SP? 22

23. https://aarc-project.eu 5.Questions on audits Is it enough for you that a Home Organisation self-asserts that it complies with a certain LoA level? Should some external body have some enforcement rights (e.g. Home identity federation can remove “compliant” tag from the Home Organisation if there are doubts that a Home Organisation fails its LoA level)? Are internal audits needed? Are external audits needed? Are you willing to share their costs? 23 SP RP questions

24. https://aarc-project.eu Thank you Any Questions? © GÉANT on behalf of the AARC project. The work leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 653965 (AARC). https://aarc-project.eu davidg@nikhef.nl Thanks to all AARC folk whose slides and work I used in here – esp. Mikael Linden, Dave Kelsey, Martin Haase, Peter Gietz and to Daniela Pöhn of LRZ/GN4