Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Questions for SP communities AARC and GEANT GN4 projects are studying the Service Provider (SP) communities' (such as research infrastructures, e-infrastructures, communities and research centers) requirements on Level of Assurance (LoA). The survey results will serve the future development of federated authentication and authorization in the set-up where an end user's Home Organisation (e.g. research infrastructure projects or individual SP admins). (Interview or web based survey) 

How important it is for you that...

Identity concept

the university or research institute employing the researcher) delivers him/her the authentication credentials and authenticates him/her. The survey results will be published.

1.Introduction to LoA

Narrowly speaking, LoA for user authentication covers two things:

  • Identity vetting: how an end user demonstrates his/her identity at the time when s/he receives the authentication credential from his/her Home Organisation (e.g. by presenting government photo-id face-to-face at a registration desk or self-registration on-line)
  • authentication: how an end user proofs his/her identity to his/her Home Organisation's Identity Provider (IdP) server when s/he logs in (e.g. password or multi-factor authentication with a certificate or token) 

More widely speaking, LoA can also cover e.g.

  • management of credentials (e.g. delivery of credentials to their holder, revocation of credentials)
  • information security management of the Home Organisation
  • audits of the Home Organisation

Some people also count these in

  • quality and freshness of user attributes (self-asserted by the user or Home Organisation vetted)
  • Home Organisation's ability and willingness to populate and release the attributes to the SPs

2. Questions on the research infrastructures/communities

Who are your end users (who need to log in to your services):

  • researchers with a Home Organisation (that operates or potentially operates an IdP)?
  • citizen scientists?
  • students with a Home Organisation (that operates or potentially operates an IdP)?
  • else/what?

If you are a research community 

  • is affiliation of a researcher (user) with your community typically longer lived than any organizational affiliation or employment, or does community membership stem primarily from organizational affiliation?
  • do you consider yourself also as a source of (identity) assurance for your community members?

 3.Questions on Identity and Authentication

User's "network identity" distinguishes him/her from other users of the SP.

3.1. Identity concept

How important is it for you that 

  • all user identities (accounts in the Home Organisation) belongs to an individual person (i.e. there are no shared accounts like "libraryuser1". Any robot/automated agent is traceable to a named person)?
  • and all users are traceable (i.e. the Home Organization knows who they are and can reach them)?
  • and the Home Organisation is willing to collaborate with you if you think their user misbehaves in your service
  • an account belongs to an individual person?
  • and s/he is traceable (i.e. the home organization knows and can reach him/her)?
  • and Home Organisation is willing to penalize him/her if s/he misbehaves?
  • that you (as an SP community) can block him/her from the serviceyour service?
  • user identifiers are persistent i.e. not reassigned to another persona user account is not re-assigned (re-cycled) to another person over time?
  • user identifiers are shared by multiple SPs  (i i.e. not pairwise/targeted)if you have 2 SPs, do they both receive the same user identifier when the same user logs in to the two services?

3.2.Initial proof of identity

How important is it for you that 

  • the home organization Home Organization has a documented identity vetting process?
  • the identity vetting process is f2f or equivalent?
  • process (whatever it is) in English and you can study it?
  • each Home Organisation has a machine-readable tag that indicates how the organization carries out identity proofing and the tag is from a well-defined international vocabulary?
  • each user in a Home Organisation has the above tag and different end users in the same organization can have different tags (depending how their identity was initially proofed)?
  • the identity proofing is done face-to-face based on a government photo-ID or equivalent?

3.3.On-line authentication

  • passwordsAre password-based authentication good enough for you?
  • passwords with quality quaranteesShould passwords have some kind of quality floor? (What kind of quality floor?)
  • Do you need two factor authentication?

...

  • ? (What kind of?) Are you willing to share its costs?

3.4.Step-up authentication as a service

Step-up authentication means that the user first authenticates with a password, and subsequently with a second factor (such as by a one-time password delivered to his/her cellphone). Step-up authentication could be delivered to research communities as a service.

Would you like to make use of step-up authentication

  • if it costs you money?
  • if it costs you work (operating a registration authority)

Freshness of user data

  • for instance, you need to operate one or several registration authorities where your community's users come to show their photo-ID and you record their cellphone number)?

4. Questions on user attributes

Besides an identifier, the Home Organisation's Identity Provider is able to deliver also other attributes of the person that logs in.

4.1. Freshness of user accounts and attributes

Many Home Organisations close the user account when an individual departs (e.g. researcher changes his/her employer). Closing the account closes also federated access to your SP. However, some organisations keep the accounts open (e.g. to serve alumni etc).

  • Do you expect that user accounts are closed as a user accounts are closed as an individual departs? How promptly?
  • Do you expect that user's role attributes (e.g. eduPersonAffiliation="faculty") value is updated as an individual departs? How promptly?

4.2. Quality/provenance of user data

In larger universities the IdP/IdM gathers users' attributes from several registries (payroll system, CRIS (current research information system), student registry) with varying data quality. Some attributes can even be self-asserted by the user him/herself.

  • Is it important for you to know the quality/provenance of the user data on the attribute level?

...

  • What attributes? On what level of granularity?

4.3. Population and release of attributes

  • What are the key attributes Home Organisations should populate for their end users and release to your SP? 

5.Questions on audits

  • Is it enough that the for you that a Home Organisation self-asserts the above?that it complies with a certain LoA level?
  • Should some external body have plus someone who has some enforcement rights (e.g. Home identity federation can remove “compliant” tag from the HO)?
  • also internal audits needed?
  • also external audits needed?

---

Do we want to mix these things here

  • Home Organisation if there are doubts that a Home Organisation fails its LoA level)?
  • Are internal periodic self-assessments needed? Should these be reviewed (or open to review) by e.g. the Home identity federation or federation peers?

  • Are internal audits needed where the auditors are from an independent organization unit?
  • Are external audits needed? Are you willing to share their costs?
  • attribute population; which attributes the Home Organisation populates for users
  • attribute release; which attributes the Home Organisation is willing to release