Step-up authentication requirements and guidelines for SPs
Summary
This document collects use-cases and requirements from the communities to describe the current state of the field.
The goal is to also derive a common pattern to guide future implementations of Step-up authentication.
Whether OIDC RPs will be targeted is not clear yet.
Links
Working docs
Google-Doc: https://docs.google.com/document/d/1R24xKC-cC7sLyb13Gr2jxKtlA83_qESrkCorT4PTb74/edit#heading=h.mqa2kjgzxbju
Final PDF
To be published
Meetings schedule and Minutes
Date | Location | Agenda | Minutes |
---|
2017-07-17-11 13-00 (CEST) | https://webconf.vc.dfn.de/aarc-jra1 | Discuss documents A, B, C: - Table of Contents
- Key points to mention
| We essentially worked inside the documents. Minutes do not make sense at this point |
2017-07-28 13:00 (CEST) | https://webconf.vc.dfn.de/aarc-jra1 | Discussion of documents A, B, C | Decided to prioritise document C Introduced June from RZG, who is liasing for Geant to consume results of our document Document responsibility handed to Uros, Finalise Intro: Marcus |
2017-11-07 10:00 (CET) | Agreed from now on to use Vidyo room: https://www.nikhef.nl/grid/video/?m=aarcjra1
| Doc discussion | Short review of the doc, and discussion about the future steps. Discussion about the possible implementations of the step-up: From the SP point of view, there are 3 use cases: - First, if the SP requires having MFA (or step-up of other components), then all IdPs which users are accessing this service need to support and provide MFA, which may be difficult to achieve
- Second, the SP itself may implement MFA functionality (the actual implementation of this use case was not elaborated at this point)
- Third (most interesting at this point), there can be IdP-proxy that can provide step-up service (e.g. for MFA)
Possible description of the third use case: - User authenticates with the SP and establishes a browser session. The SP then can redirect the user to the predefined IdP-proxy service, where the user can then go through the step-up procedure (e.g. perform MFA). After successful performance of the step-up procedure, the user is redirected back to the SP. SP then can grant access to the user.
Future work: - Pinging Stefan for SafeShare chapter: Uros
- Review old comments and try to resolve them: Uros
- Create initial drawing of the third use case, on lucidchart: Uros
- For everyone: going through the doc, and fix current issues
|
2017-12-05 10:00 (CET) | https://www.nikhef.nl/grid/video/?m=aarcjra1 | Discuss evolution of SuA documents | There will be three documents: - Authentication-step-up:
- Short, concise, to the point (e.g. 4 pages)
- Step up for SPs that are connected to a proxy
- Based on TNC18 Abstract by Jule and Marcus
- Capturing the discussion we had on AARC2-AHM-day3
- This will be the new JRA1.2C document for the deliverable
- AuthN-freshness-step-up:
- Like above document, but focused on AuthN Freshness
- General assurance elevation:
- "Holistic" document
- All definitions
- General assurance elevation on components
- ..."make it look like an IdP (from the SP perspective)"
- Still keep it to the point.
- Experiences of the pilot...
|