Research and education identity federations are more and more facing competition with commercial authentication services, such as Google. However, the commercial providers are still lacking a business model for identity proofing that goes beyond self-registration. Commercial providers have also difficulties to provide reliable information on a person’s affiliation with a research and education organisation. Although there are also non-commercial alternatives arising (ORCID and citizen authentication systems provided by some governments), to remain in the market the federations need to identify and focus on the properties where the commercial providers have difficulties. This opens the opportunity for an assurance framework for the REFEDS community.
Many identity federations have had optional or mandatory policies for the assurance of identity, authentication and attributes. However, no well-established international assurance specifications for research and education have risen yet, the IGTF profiles (Aspen, Birch, Cedar and Dogwood) being probably the nearest match.
Research is inherently cross-national and many research collaborations need to manage access to sensitive or expensive research instruments, data and compute capacity. Therefore research collaborations have been identified as a key customer for an assurance framework. The research collaborations’ requirements on assurance were gathered in the AARC project. The key requirements for low-risk use cases were found to be non-shared, non-reassigned user IDs, documented identity vetting procedures, password authentication with good practices and fresh affiliation information.
The classic one-dimensional (NIST 800-63-2, eIDAS) approach to assurance is being superseded by a multi-dimensional approach (e.g. NIST 800-63-3, Vectors of Trust) where assurance is split to several independent components. The relying services can observe the components independently and consume the values important for them. For instance, NIST 800-63 splits assurance to three components of identity, authentication and federation assurance.
The REFEDS Assurance working group has been crafting REFEDS Assurance Framework (RAF) to cover the needs in the research and education section. In research and education federations, the federation component is mostly covered by protocol specification (like SAML2int), allowing REFEDS Assurance working group to focus on identity and authentication. However, to serve the relying services who want simplicity, the RAF further collapses the components to assurance profiles whose names follow coffee drinks; Cappuccino (that is made to match the needs of low-risk research) and Espresso.
In RAF, identity and authentication is complemented with attribute assurance which focuses on one single attribute: eduPersonScopedAffiliation (and derivatives) because many research collaborations want to make sure researcher’s access to resources is closed promptly when they depart from their home organisation. While the exact semantics of eduPersonAffiliation is covered elsewhere and leaves room for local interpretation, the assurance framework focuses on the home organisation’s ability to reflect the user’s departure promptly in the attribute value. In the future, there is a need to extend the attribute assurance to cover also the provenance of other attributes.
The process started in autumn 2015 by AARC project presenting the requirements on a minimal assurance level for low-risk research. The REFEDS reacted by establishing the Assurance working group as an international and open forum where also federation operators and Home organisation representatives could join. The working group exposed the first draft of REFEDS Assurance Framework to a public consultation in spring 2017 and the second draft now, together with a Single-factor authentication profile.
As a result, there are three specifications that complement one another. REFEDS Assurance Framework defines the requirements for identifiers, identity proofing and attribute assurance and introduces the two assurance profiles Cappuccino and Espresso on top of them. Single-factor authentication (SFA) profile defines the requirements for single-factor authentication, such as passwords or soft certificates. Cappuccino applied together with the SFA authentication profile match the AARC project’s requirements for low-risk research and Espresso together with the third specification, REFEDS MFA, are aimed to serve research use cases with stronger assurance needs. The specification make use of existing frameworks, such as NIST 800-63b, Kantara Identity assurance framework and eIDAS.
The endeavor of writing the SFA profile, together with the GEANT project, took a couple of iterations to find the appropriate abstraction level. The working group found that more specific the profile becomes, the more difficult details are exposed and making specific definitions would exclude several existing products. In the end the SFA profile became a relatively light-weight definition of minimum requirements that home organisations can complement with their own, more secure practices.
Technically, RAF and SFA are mounted on SAML 2.0 and the newer OpenID Connect protocols. The RAF is expressed using the eduPersonAssurance attribute that has so far had little use in the eduPerson schema. SAML 2.0 metadata is not used. The SFA and MFA specifications rely on the authentication context class references that are standard part of SAML 2.0 core and OpenID Connect specifications. The intention was to be “future proof” for the proliferation of OpenID Connect although its maturity is not yet in the same level with SAML. For instance, there is no approved specification for mapping eduPerson schema to OpenID Connect claims and the working group also found that the protocol specification doesn’t have a dedicated mechanism for the Identity Provider to signal that it cannot satisfy the authentication context the relying party has requested.
In parallel to the process, the assurance working group has started a pilot with a handful of SAML Identity and Service providers. Although there was no opportunity to test a wide variety of SAML IdP products, the three specifications appear to be relatively straightforward to deploy in the Identity Provider servers. The SAML Identity Provider’s support can be tested for instance in the SWITCHaai attribute viewer service. The support for Service Providers is even easier as it needs to just request the authentication context it wishes and observe the resulting authentication context and eduPersonAssurance attribute value.
In the research collaborations there is an emerging pattern where a research infrastructure operates a proxy whose SAML SP component authenticates researchers at their home organisations and decorates them with extra attributes that are then released to the actual research services. REFEDS Assurance Framework focuses on the interface between the proxies and the home organisation IdPs but AARC2 project is preparing a specification covering management of assurance inside and between one or more infrastructure proxies. As the infrastructure proxies typically allow researcher to link several external (home organisation) identities to their infrastructure identity, AARC2 is also preparing a specification for evaluating the effective combined identity when multiple external identities are linked. These works build on top and extend the REFEDS Assurance Framework and SFA/MFA profiles.
The REFEDS Assurance Framework does not define how a home organisation’s conformance to the framework is assessed. From previous experience we know that exposing home organisations to external audits would be expensive and potentially hinder adoption. In the background work by AARC project it is proposed that a self-assessment made by the home organisation is sufficient, at least for the low-risk use cases. The IGTF has also good experiences on peer audits for its profiles. The self-assessments or peer audits can be facilitated by a self-assessment tool GEANT project is developing for assessing any kind of frameworks, such as Sirtfi, Data protection CoCo or RAF.
The REFEDS Assurance Framework and Single-factor authentication profile are now exposed to a public consultation in parallel so they can be read back-to-back. When the consultations are over and the feedback integrated, the next challenge is to disseminate the work and support their adoption in home organisations. The federation operators are expected to be key intermediaries in dissemination because they have direct relationships with the home organisations and can integrate the specifications to their existing engagement channels and policy frameworks. Expect to receive an invitation to a training workshop for adoption!