OIX initiative, US only?

Mapping Swedish Academic Identity Federation 2.0 Policy Framework to Open Identity Exchange (OIX)

Trust Framework Provider Assessment Package

Pål Axelsson, Uppsala universitet / SWAMIDValter Nordh, Göteborgs universitet / SWAMID

Agenda - outline

Brief introduction to SWAMID and Sweden

Legal structure of the Swedish educational system

SWAMID Policy OIX mapping with highlights

Conclusion

Swedish Academic Identity Federation (SWAMID)

SWAMID is operated by the Swedish NREN SUNET

SWAMID 2.0 Policy FrameworkThe SWAMID Policy describes governance, membership and scope

The Identity Assurance Profiles describes levels of trust in claims and organizations

The Federation Technology Profiles describe concrete realizations of the Policy and Assurance Profiles in terms of specific technologies (eg SAML, eduroam etc)

Identity providers must be members and represent the interest of Swedish higher educational institutions (HEI)

Service providers doesn't need to be members.

Statistics about Sweden

National data449,964 sq km (slightly larger than California)

9,4M people in Sweden

21 persons per sq m

Higher education369,000 individual students per year

321,000 full-time equivalent students per year

50 HEI (universities and university colleges) with the right to award higher education qualifications

35 members in SWAMID

Legal structure of the Swedish educational system

Most higher education in Sweden is done by educational governmental agencies.

This means that a most HEI is considered as a part of the Swedish government.

An agency of the Swedish government is by Swedish law only accountable in a Swedish court or EU court with regards to exercise of governmental authority.

Privately owned HEI is mostly governed by the same laws and bylaws.

All Swedish higher education qualifications and awarding HEI is directly accredited in the government bylaw Higher Education Ordinance enclosure System of Qualification.

INITIAL GOALSWAMID Federation Operator asOIX Registered Accessor at LoA1

In the next set of slides we'll present the mapping from SWAMID 2.0 Policy Framework to OIX Trust Framework Provider Assessment Package.

We highlight investigation areas in their own slides.

SWAMID Policy to OIX mapping

Green means that mapping is ok.

Turquoise means that mapping is probably ok.

Yellow means that mapping need more investigation.

Red means that mapping is not ok.

SWAMID findings

Table 2 OIX Review of Member Organizational Maturity

Table 2 a1 Verify IdP legal status.

Table 2 a2 Verify IdP has appropriate authorization to operate as an identity provider.

Table 2 a3 Verify IdP has legal authority to commit the IdP to serve as an identity provider on behalf of the Federal government.

Table 2 a4 Verify IdP has the financial capacity to manage the risks associated with serving as an identity provider on behalf of the Federal government.

Table 2 a5 Verify IdP has understanding of, and compliance with any legal requirements incumbent on the IdP in connection to serving as an identity provider on behalf of the Federal government.

Table 2 a6 Verify the scope and extent of IdP’s implemented security controls (e.g., access control, confidentiality of user information, facility security).

Table 2 a7 Verify IdP has documentation of policies and procedures.

Table 2 a8 Review proof that IdP practices are consistent with documented policies and procedures (e.g., via independent auditor reports, if required by LOA requirements).

Table 3 OIX US ICAM Privacy Requirements for Members

Table 3 a Opt In – Identity Provider must obtain positive confirmation from the End User before any EndUser information is transmitted to any government applications. The End User must be able to see each attribute that is to be transmitted as part of the Opt In process. Identity Provider should allow End Users to opt out of individual attributes for each transaction.

Table 3 b Minimalism – Identity Provider must transmit only those attributes that were explicitly requested by the RP application or required by the Federal profile. RP Application attribute requests must be consistent with the data contemplated in their Privacy Impact Assessment (PIA) as required by the E-Government Act of 2002.

Table 3 c Activity Tracking – Identity Provider must not disclose information on End User activities with the government to any party, or use the information for any purpose other than federated authentication. RP Application use of PII must be consistent with RP PIA as required by the E-Government Act of 2002.

Table 3 d Adequate Notice – Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes a general description of the authentication event, any transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or transmission of PII to any party. Adequate Notice should be incorporated into the Opt In process.

Table 3 e Non Compulsory – As an alternative to 3rd-party identity providers, agencies should provide alternative access such that the disclosure of End User PII to commercial partners must not be a condition of access to any Federal service.

Table 3 f Termination – In the event an Identity Provider ceases to provide this service, the Provider shall continue to protect any sensitive data including PII.

Table 7A OIX US ICAM LOA 1 V1 Trust Criteria - Registration and Issuance

Table 7A 1 A trusted relationship always exists between the RA and Identity Provider.

Table 7A 2 Sensitive data collected during the registration stage must be protected at all times (e.g. transmission and storage) to ensure its security and privacy.

Table 7A 3 Resist token issuance disclosure threat.

Table 7A 4 Resist token issuance tampering threat.

Table 7A 5 Resist unauthorized token issuance threat.

Table 7A 6 Some effort should be made to uniquely identify and track applications.

Table 7B OIX US ICAM LOA 1 V1 Trust Criteria - Tokens

Table 7B 1 Resist token duplication threat.

Table 7B 2 Resist social engineering threat.

Table 7B 3 For memorized secret tokens, pre-registered knowledge tokens, look-up secret tokens, and out of band tokens, the probability that an Attacker can guess a valid authenticator, over the lifetime of the token, must be less than 2^-10 (1 in 1024).

Table 7C OIX US ICAM LOA 1 V1 Trust Criteria - Token and Credential Management

Table 7C 1 Resist token duplication threat. Files of shared secrets used by Verifiers shall be protected by discretionary access controls that limit access to administrators and only to those applications that require access. Such shared secret files shall not contain the plaintext passwords.

Table 7C 2 Long term token secrets should not be shared with other parties unless absolutely necessary.

Table 7D OIX US ICAM LOA 1 V1 Trust Criteria - Authentication Process

Table 7D 1 Resist online guessing threat.

Table 7D 2 Resist replay threat.

Table 7D 3 Successful authentication requires that the Claimant shall prove, through a secure authentication protocol, that he or she controls the token.

Table 7D 4 Plaintext passwords or secrets shall not be transmitted across a network.

Table 7E OIX US ICAM LOA 1 V1 Trust Criteria - Assertions

Table 7E 1 Use an ICAM adopted authentication scheme.

Table 2 a4: Verify IdP has the financial capacity to manage the risks associated with serving as an identity provider on behalf of the Federal government

OIX Applicants ResponseRegistered Assessor must review IdP’s financial statements and verify that IdP has adequate insurance policies and limits, including Errors and Omissions coverage of at least $2,000,000, Directors and Offices coverage, and any other applicable policies.

SWAMIDs findingMost SWAMID members are Swedish government agencies and as such are not allowed to buy regular insurance. Instead the The Legal, Financial and Administrative Services Agency (kammarkollegiet) provides insurance to government agencies. This insurance coverage is optional. All but a very small number of universities and university colleges are covered and the minimum coverage is 10MSEK which at todays $ rate is approximately 1.5MUSD. A typical large-scale university (Chalmers) that is a foundation (and not a government agency) are privately covered at 5 times this amount. However this requirement may be problematic and will in all likelihood prevent us from adjoining all SWAMID IdPs in an OIX upstream.

Table 2 a5: Verify IdP has understanding of, and compliance with any legal requirements incumbent on the IdP in connection to serving as an identity…

…provider on behalf of the Federal government.

OIX Applicants ResponseIdP is required to submit a written statement confirming the OIX Membership requirement of compliance with applicable law including compliance with the legal requirements in Table 1, row e, and with any other legal requirements that may be in effect for the jurisdiction in which the IdP operates. Registered Assessor must interview IdP regarding its understanding of these requirements and the policies and procedures it uses to comply with these requirements.

SWAMIDs findingThis requirement may pose a problem if we want to join all IdPs to an OIX upstream. Many IdPs will not see the value in learning enough US law to be able to comply with this requirement. Please note that an agency of the Swedish government is by Swedish law only accountable in a Swedish court or EU court with regards to exercise of governmental authority.

Table 3 a: Opt In – Identity Provider must obtain positive confirmation from the End User before any End User information is transmitted to any…

…government applications. The End User must be able to see each attribute that is to be transmitted as part of the Opt In process. Identity Provider should allow End Users to opt out of individual attributes for each transaction.

OIX Applicants ResponseIdP must provide Registered Assessor with documentation of how it conforms to this requirement and give specific examples. Registered Assessor must verify that the documented IdP practices conform to this requirement.

SWAMIDs findingThis requires each IdP to deploy a consent module with the accept-and-remember function turned off. This will be an issue for a large set of IdPs due to it's user unfriendliness. There is no consent module today for Shibboleth that has a per Service Provider setting for turning off accept-and-remember.

Table 3 c: Activity Tracking – Identity Provider must not disclose information on End User activities with the government to any party, or use the information…

…for any purpose other than federated authentication. RP Application use of PII must be consistent with RP PIA as required by the E-Government Act of 2002.

OIX Applicants ResponseIdP must provide Registered Assessor with documentation of how it conforms to this requirement. NOTE: The last sentence of this requirement is not applicable to IdPs. Registered Assessor must verify that the documented IdP practices conform to this requirement.

SWAMIDs findingWhat about legal intercepts due to national legislation some built on EU directives? What about statistics gathering and reporting?

Table 3 d: Adequate Notice – Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes…

…a general description of the authentication event, any transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or transmission of PII to any party. Adequate Notice should be incorporated into the Opt In process.

OIX Applicants ResponseIdP must provide Registered Assessor with documentation of how it conforms to this requirement and give specific examples. Registered Assessor must verify that the documented IdP practices conform to this requirement.

SWAMIDs findingThis could be fulfilled by requiring a consent-module activated for the OIX RP. Possibly not consent as such but certainly the IdP needs to notify the user when the authentication happens. Would the default login page for shibboleth 2.3.0 fulfill these requirements?

Table 7A 6: Some effort should be made to uniquely identify and track applications.

OIX Applicants Response(“Applications” means “requests for token”.) IdP must show it has reasonable means to ensure that the same party acts throughout the registration, and token and credential issuance processes as may be specified in NIST 800-63 or equivalent.

SWAMIDs findingThis should be covered by the identity management practice statement. We need to understand this requirement better. Is it about using nonces to track a subject through the various stages of the application and registration process?

UK Access Management Federation

UK federation operated by JISC Collections and EDINA

UK federation policy framework: Short ‘Rules of Membership’, ‘Section 6’ only current assurance profile, Technical recommendations for participants.

Currently 99% Higher Education, 80% Further Education, plus some schools (K12) coverage.

880 members, 1280 entities.

Nicole Harris

UK Assessment

UK focus to date on low-level assurance; UK federation dealing with K-99 – large range of

assurance requirements; ’Pain points’ the same as the SWAMID findings; How do we technically manage an OIX

aggregate for metadata? We will not seek to up-lift all IdPs in the UK

federation to this level.

Nicole Harris

Conclusions

Moving away from technical issues toward primarily legal but also economic aspects.

Main problem areas:

US Legal requirements vs. Swedish national legislation

Strict opt-in requirementsLegal requirements

User friendliness vs. data protection

Insurance requirements

About

SWEDEN.SE: Sweden in briefhttp://www.sweden.se/eng/Home/Quick-facts/Sweden-in-brief/

About Sweden from Wikipedia.orghttp://en.wikipedia.org/wiki/Sweden

SWAMID 2.0 Policyhttp://www.swamid.se/11/policy/swamid-2.0.html(Page is in Swedish but the policy framework documents are in English)

National qualifications framework in Swedenhttp://hsv.se/highereducationinsweden/nationalqualificationsframework.4.5dc5cfca11dd92979c480001476.html

OIX Trust Framework Provider Assessment Packagehttp://openidentityexchange.org/sites/default/files/oix-us-icam-loa1-tfp-assessment-package-2010-02-12.pdf