Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

AARC and GEANT GN4 projects are studying the Service Provider (SP) communities' (such as research infrastructures/communities, e-infrastructures, communities and research centers) requirements on Level of Assurance (LoA). The survey results will serve the future development of federated authentication and authorization in the set-up where an end user's Home Organisation (e.g. the university or research institute employing the researcher) delivers him/her the authentication credentials and authenticates him/her. The survey results will be published.

...

  • Identity vetting: how an end user demonstrates his/her identity at the time when s/he receives the authentication credential from his/her Home Organisation (e.g. by presenting government photo-id face-to-face at a registration desk or self-registration on-line)
  • authentication: how an end user proofs his/her identity to his/her Home Organisation's Identity Provider (IdP) server when s/he logs in (e.g. password or multi-factor authentication with a certificate or token) 

...

  • researchers with a Home Organisation (that operates or potentially operates an IdP)?
  • citizen scientists?
  • students with a Home Organisation (that operates or potentially operates an IdP)?
  • else/what?

If you are a research community 

  • is affiliation of a researcher (user) with your community typically longer lived than any organizational affiliation or employment, or does community membership stem primarily from organizational affiliation?
  • do you consider yourself also as a source of (identity) assurance for your community members?

 3.Questions on Identity and Authentication

...

  • all user identities (accounts in the Home Organisation) belongs to an individual person (i.e. there are no shared accounts like "libraryuser1". Any robot/automated agent is traceable to a named person)?
  • and all users are traceable (i.e. the Home Organization knows who they are and can reach them)?
  • and the Home Organisation is willing to collaborate with you if you think their user misbehaves in your service?
  • that you (as an SP) can block him/her from your service?

...

  • the Home Organization has a documented identity vetting process (whatever it is) in English and you can study it?
  • each Home Organisation has a tag machine-readable tag that indicates how the organization carries out identity proofing and the tag is from a well-defined international vocabulary?
  • each user in a Home Organisation has the above tag but different and different end users in the organization same organization can have different tags (depending how their identity was initially proofed)?
  • The the identity proofing is done face-to-face based on a government photo-ID or equivalent?

...

  • Are password-based authentication good enough for you?
  • Or should Should passwords have some kind of quality floor? (What kind of quality floor?)
  • Do you need two factor authentication? (What kind of?) Are you willing to share its costs?

3.4.Step-up authentication as a service

...

In larger universities the IdP/IdP IdM gathers users' attributes from several registries (payroll system, CRIS (current research information system), student registry) with varying data quality. Some attributes can even be self-asserted by the user him/herself.

...

  • Is it enough for you that a Home Organisation self-asserts that it complies with a certain LoA level?
  • Should some external body have some enforcement rights (e.g. Home identity federation can remove “compliant” tag from the Home Organisation if there are doubts that a Home Organisation fails its LoA level)?
  • Are internal periodic self-assessments needed? Should these be reviewed (or open to review) by e.g. the Home identity federation or federation peers?

  • Are internal audits needed where the auditors are from an independent organization unit?
  • Are external audits needed? Are you willing to share their costs?

...