Introduction to OIX: A Market Solution to Online Identity Trust Don Thibeau.
OIX initiative, US only? Mapping Swedish Academic Identity Federation 2.0 Policy Framework to Open...
-
Upload
linda-thornton -
Category
Documents
-
view
215 -
download
0
Transcript of OIX initiative, US only? Mapping Swedish Academic Identity Federation 2.0 Policy Framework to Open...
OIX initiative, US only?
Mapping Swedish Academic Identity Federation 2.0 Policy Framework to Open Identity Exchange (OIX)
Trust Framework Provider Assessment Package
Pål Axelsson, Uppsala universitet / SWAMIDValter Nordh, Göteborgs universitet / SWAMID
Agenda - outline
Brief introduction to SWAMID and Sweden
Legal structure of the Swedish educational system
SWAMID Policy OIX mapping with highlights
Conclusion
Swedish Academic Identity Federation (SWAMID)
SWAMID is operated by the Swedish NREN SUNET
SWAMID 2.0 Policy FrameworkThe SWAMID Policy describes governance, membership and scope
The Identity Assurance Profiles describes levels of trust in claims and organizations
The Federation Technology Profiles describe concrete realizations of the Policy and Assurance Profiles in terms of specific technologies (eg SAML, eduroam etc)
Identity providers must be members and represent the interest of Swedish higher educational institutions (HEI)
Service providers doesn't need to be members.
Statistics about Sweden
National data449,964 sq km (slightly larger than California)
9,4M people in Sweden
21 persons per sq m
Higher education369,000 individual students per year
321,000 full-time equivalent students per year
50 HEI (universities and university colleges) with the right to award higher education qualifications
35 members in SWAMID
Legal structure of the Swedish educational system
Most higher education in Sweden is done by educational governmental agencies.
This means that a most HEI is considered as a part of the Swedish government.
An agency of the Swedish government is by Swedish law only accountable in a Swedish court or EU court with regards to exercise of governmental authority.
Privately owned HEI is mostly governed by the same laws and bylaws.
All Swedish higher education qualifications and awarding HEI is directly accredited in the government bylaw Higher Education Ordinance enclosure System of Qualification.
INITIAL GOALSWAMID Federation Operator asOIX Registered Accessor at LoA1
In the next set of slides we'll present the mapping from SWAMID 2.0 Policy Framework to OIX Trust Framework Provider Assessment Package.
We highlight investigation areas in their own slides.
SWAMID Policy to OIX mapping
Green means that mapping is ok.
Turquoise means that mapping is probably ok.
Yellow means that mapping need more investigation.
Red means that mapping is not ok.
SWAMID findings
Table 2 OIX Review of Member Organizational Maturity
Table 2 a1 Verify IdP legal status.
Table 2 a2 Verify IdP has appropriate authorization to operate as an identity provider.
Table 2 a3 Verify IdP has legal authority to commit the IdP to serve as an identity provider on behalf of the Federal government.
Table 2 a4 Verify IdP has the financial capacity to manage the risks associated with serving as an identity provider on behalf of the Federal government.
Table 2 a5 Verify IdP has understanding of, and compliance with any legal requirements incumbent on the IdP in connection to serving as an identity provider on behalf of the Federal government.
Table 2 a6 Verify the scope and extent of IdP’s implemented security controls (e.g., access control, confidentiality of user information, facility security).
Table 2 a7 Verify IdP has documentation of policies and procedures.
Table 2 a8 Review proof that IdP practices are consistent with documented policies and procedures (e.g., via independent auditor reports, if required by LOA requirements).
Table 3 OIX US ICAM Privacy Requirements for Members
Table 3 a Opt In – Identity Provider must obtain positive confirmation from the End User before any EndUser information is transmitted to any government applications. The End User must be able to see each attribute that is to be transmitted as part of the Opt In process. Identity Provider should allow End Users to opt out of individual attributes for each transaction.
Table 3 b Minimalism – Identity Provider must transmit only those attributes that were explicitly requested by the RP application or required by the Federal profile. RP Application attribute requests must be consistent with the data contemplated in their Privacy Impact Assessment (PIA) as required by the E-Government Act of 2002.
Table 3 c Activity Tracking – Identity Provider must not disclose information on End User activities with the government to any party, or use the information for any purpose other than federated authentication. RP Application use of PII must be consistent with RP PIA as required by the E-Government Act of 2002.
Table 3 d Adequate Notice – Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes a general description of the authentication event, any transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or transmission of PII to any party. Adequate Notice should be incorporated into the Opt In process.
Table 3 e Non Compulsory – As an alternative to 3rd-party identity providers, agencies should provide alternative access such that the disclosure of End User PII to commercial partners must not be a condition of access to any Federal service.
Table 3 f Termination – In the event an Identity Provider ceases to provide this service, the Provider shall continue to protect any sensitive data including PII.
Table 7A OIX US ICAM LOA 1 V1 Trust Criteria - Registration and Issuance
Table 7A 1 A trusted relationship always exists between the RA and Identity Provider.
Table 7A 2 Sensitive data collected during the registration stage must be protected at all times (e.g. transmission and storage) to ensure its security and privacy.
Table 7A 3 Resist token issuance disclosure threat.
Table 7A 4 Resist token issuance tampering threat.
Table 7A 5 Resist unauthorized token issuance threat.
Table 7A 6 Some effort should be made to uniquely identify and track applications.
Table 7B OIX US ICAM LOA 1 V1 Trust Criteria - Tokens
Table 7B 1 Resist token duplication threat.
Table 7B 2 Resist social engineering threat.
Table 7B 3 For memorized secret tokens, pre-registered knowledge tokens, look-up secret tokens, and out of band tokens, the probability that an Attacker can guess a valid authenticator, over the lifetime of the token, must be less than 2^-10 (1 in 1024).
Table 7C OIX US ICAM LOA 1 V1 Trust Criteria - Token and Credential Management
Table 7C 1 Resist token duplication threat. Files of shared secrets used by Verifiers shall be protected by discretionary access controls that limit access to administrators and only to those applications that require access. Such shared secret files shall not contain the plaintext passwords.
Table 7C 2 Long term token secrets should not be shared with other parties unless absolutely necessary.
Table 7D OIX US ICAM LOA 1 V1 Trust Criteria - Authentication Process
Table 7D 1 Resist online guessing threat.
Table 7D 2 Resist replay threat.
Table 7D 3 Successful authentication requires that the Claimant shall prove, through a secure authentication protocol, that he or she controls the token.
Table 7D 4 Plaintext passwords or secrets shall not be transmitted across a network.
Table 7E OIX US ICAM LOA 1 V1 Trust Criteria - Assertions
Table 7E 1 Use an ICAM adopted authentication scheme.
Table 2 a4: Verify IdP has the financial capacity to manage the risks associated with serving as an identity provider on behalf of the Federal government
OIX Applicants ResponseRegistered Assessor must review IdP’s financial statements and verify that IdP has adequate insurance policies and limits, including Errors and Omissions coverage of at least $2,000,000, Directors and Offices coverage, and any other applicable policies.
SWAMIDs findingMost SWAMID members are Swedish government agencies and as such are not allowed to buy regular insurance. Instead the The Legal, Financial and Administrative Services Agency (kammarkollegiet) provides insurance to government agencies. This insurance coverage is optional. All but a very small number of universities and university colleges are covered and the minimum coverage is 10MSEK which at todays $ rate is approximately 1.5MUSD. A typical large-scale university (Chalmers) that is a foundation (and not a government agency) are privately covered at 5 times this amount. However this requirement may be problematic and will in all likelihood prevent us from adjoining all SWAMID IdPs in an OIX upstream.
Table 2 a5: Verify IdP has understanding of, and compliance with any legal requirements incumbent on the IdP in connection to serving as an identity…
…provider on behalf of the Federal government.
OIX Applicants ResponseIdP is required to submit a written statement confirming the OIX Membership requirement of compliance with applicable law including compliance with the legal requirements in Table 1, row e, and with any other legal requirements that may be in effect for the jurisdiction in which the IdP operates. Registered Assessor must interview IdP regarding its understanding of these requirements and the policies and procedures it uses to comply with these requirements.
SWAMIDs findingThis requirement may pose a problem if we want to join all IdPs to an OIX upstream. Many IdPs will not see the value in learning enough US law to be able to comply with this requirement. Please note that an agency of the Swedish government is by Swedish law only accountable in a Swedish court or EU court with regards to exercise of governmental authority.
Table 3 a: Opt In – Identity Provider must obtain positive confirmation from the End User before any End User information is transmitted to any…
…government applications. The End User must be able to see each attribute that is to be transmitted as part of the Opt In process. Identity Provider should allow End Users to opt out of individual attributes for each transaction.
OIX Applicants ResponseIdP must provide Registered Assessor with documentation of how it conforms to this requirement and give specific examples. Registered Assessor must verify that the documented IdP practices conform to this requirement.
SWAMIDs findingThis requires each IdP to deploy a consent module with the accept-and-remember function turned off. This will be an issue for a large set of IdPs due to it's user unfriendliness. There is no consent module today for Shibboleth that has a per Service Provider setting for turning off accept-and-remember.
Table 3 c: Activity Tracking – Identity Provider must not disclose information on End User activities with the government to any party, or use the information…
…for any purpose other than federated authentication. RP Application use of PII must be consistent with RP PIA as required by the E-Government Act of 2002.
OIX Applicants ResponseIdP must provide Registered Assessor with documentation of how it conforms to this requirement. NOTE: The last sentence of this requirement is not applicable to IdPs. Registered Assessor must verify that the documented IdP practices conform to this requirement.
SWAMIDs findingWhat about legal intercepts due to national legislation some built on EU directives? What about statistics gathering and reporting?
Table 3 d: Adequate Notice – Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes…
…a general description of the authentication event, any transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or transmission of PII to any party. Adequate Notice should be incorporated into the Opt In process.
OIX Applicants ResponseIdP must provide Registered Assessor with documentation of how it conforms to this requirement and give specific examples. Registered Assessor must verify that the documented IdP practices conform to this requirement.
SWAMIDs findingThis could be fulfilled by requiring a consent-module activated for the OIX RP. Possibly not consent as such but certainly the IdP needs to notify the user when the authentication happens. Would the default login page for shibboleth 2.3.0 fulfill these requirements?
Table 7A 6: Some effort should be made to uniquely identify and track applications.
OIX Applicants Response(“Applications” means “requests for token”.) IdP must show it has reasonable means to ensure that the same party acts throughout the registration, and token and credential issuance processes as may be specified in NIST 800-63 or equivalent.
SWAMIDs findingThis should be covered by the identity management practice statement. We need to understand this requirement better. Is it about using nonces to track a subject through the various stages of the application and registration process?
UK Access Management Federation
UK federation operated by JISC Collections and EDINA
UK federation policy framework: Short ‘Rules of Membership’, ‘Section 6’ only current assurance profile, Technical recommendations for participants.
Currently 99% Higher Education, 80% Further Education, plus some schools (K12) coverage.
880 members, 1280 entities.
Nicole Harris
UK Assessment
UK focus to date on low-level assurance; UK federation dealing with K-99 – large range of
assurance requirements; ’Pain points’ the same as the SWAMID findings; How do we technically manage an OIX
aggregate for metadata? We will not seek to up-lift all IdPs in the UK
federation to this level.
Nicole Harris
Conclusions
Moving away from technical issues toward primarily legal but also economic aspects.
Main problem areas:
US Legal requirements vs. Swedish national legislation
Strict opt-in requirementsLegal requirements
User friendliness vs. data protection
Insurance requirements
About
SWEDEN.SE: Sweden in briefhttp://www.sweden.se/eng/Home/Quick-facts/Sweden-in-brief/
About Sweden from Wikipedia.orghttp://en.wikipedia.org/wiki/Sweden
SWAMID 2.0 Policyhttp://www.swamid.se/11/policy/swamid-2.0.html(Page is in Swedish but the policy framework documents are in English)
National qualifications framework in Swedenhttp://hsv.se/highereducationinsweden/nationalqualificationsframework.4.5dc5cfca11dd92979c480001476.html
OIX Trust Framework Provider Assessment Packagehttp://openidentityexchange.org/sites/default/files/oix-us-icam-loa1-tfp-assessment-package-2010-02-12.pdf