Step-up authentication requirements and guidelines for SPs

Summary

This document collects use-cases and requirements from the communities to describe the current state of the field.

The goal is to also derive a common pattern to guide future implementations of Step-up authentication.

Whether OIDC RPs will be targeted is not clear yet.

Links

Working docs

Google-Doc: https://docs.google.com/document/d/1R24xKC-cC7sLyb13Gr2jxKtlA83_qESrkCorT4PTb74/edit#heading=h.mqa2kjgzxbju

Final PDF

To be published

Meetings schedule and Minutes

DateLocationAgendaMinutes
2017-07-17-11 13-00 (CEST)https://webconf.vc.dfn.de/aarc-jra1

Discuss documents A, B, C:

  • Table of Contents
  • Key points to mention
We essentially worked inside the documents. Minutes do not make sense at this point
2017-07-28 13:00 (CEST)https://webconf.vc.dfn.de/aarc-jra1Discussion of documents A, B, C

Decided to prioritise document C

Introduced June from RZG, who is liasing for Geant to consume results of our document

Document responsibility handed to Uros,

Finalise Intro: Marcus

2017-11-07 10:00 (CET)

Agreed from now on to use Vidyo room:

https://www.nikhef.nl/grid/video/?m=aarcjra1


Doc discussion

Short review of the doc, and discussion about the future steps.

Discussion about the possible implementations of the step-up:

From the SP point of view, there are 3 use cases:

  • First, if the SP requires having MFA (or step-up of other components), then all IdPs which users are accessing this service need to support and provide MFA, which may be difficult to achieve
  • Second, the SP itself may implement MFA functionality (the actual implementation of this use case was not elaborated at this point)
  • Third (most interesting at this point), there can be IdP-proxy that can provide step-up service (e.g. for MFA)

Possible description of the third use case:

  • User authenticates with the SP and establishes a browser session. The SP then can redirect the user to the predefined IdP-proxy service, where the user can then go through the step-up procedure (e.g. perform MFA). After successful performance of the step-up procedure, the user is redirected back to the SP. SP then can grant access to the user.

Future work:

  • Pinging Stefan for SafeShare chapter: Uros
  • Review old comments and try to resolve them: Uros
  • Create initial drawing of the third use case, on lucidchart: Uros
  • For everyone: going through the doc, and fix current issues
2017-12-05 10:00 (CET)https://www.nikhef.nl/grid/video/?m=aarcjra1Discuss evolution of SuA documents

There will be three documents:

  1. Authentication-step-up:
  2. AuthN-freshness-step-up:
  3. General assurance elevation:
  4. Experiences of the pilot...
2018-01-16 10:00 (CET)https://www.nikhef.nl/grid/video/?m=aarcjra1Followup on Step-Up and other documentsWe agreed to put all definitions to the AARC1-JRA1-Terms and definitions google doc at https://docs.google.com/document/d/18AllfUKLi90f1odm6hINkQvRljbFhy9lfkY1M447uBQ
2018-01-30 10:00 (CET)https://www.nikhef.nl/grid/video/?m=aarcjra1Finalise Step-up document

Received various comments from Mikael, Jens and Mischa

Will include step-up flows from a Geant doc of Christos (Second factor authentication component for the Life Science AAI)

Will have Session at TIIME to discuss final document

Marcus will circulate a close-to-final version on Wednesday

2018-02-13 10:00 (CET)
Finalise Step-up document

Received comments on close-to-final version

Discussed comments

Marcus will circulate a 'pretty-final' (=closer-to-final) version on Wednesday

The call was missing partners from

  • EGI
  • PSNC
  • Surfnet