This post is part of a formal deliverable of the GÉANT GN4 “Trust and Identity Harmonisation” task, which was funded for a one-year period from May 2015 – April 2016. A series of blogposts will appear here on the REFEDS blog to help more widely disseminate the work of the task and progress achieved. More information can be found on the GÉANT wiki, including the full White Paper from the assurance sub-task.
The “Service Aspects of Assurance” subtask focused on the cost and service issues for Identity Providers to support increasing assurance requirements from research infrastructures. The amount of confidence that can be placed in these features is known as assurance, and is traditionally defined by being assigned a Level of Assurance (LoA). Some research communities tend to have higher requirements than federations in terms of LoA. These requirements were detailed in the FIM4R paper co-authored by various research communities’ representatives.
Awareness is growing in the community that a strictly hierarchical approach to assurance may not be the best suited to meeting its requirements. In traditional “levels” of assurance, each increase is seen as being an improvement on the level below. However it is rare for any given infrastructure or community to need the exact set of requirements defined within any one of those levels, which means unnecessary requirements may be placed on organisations simply because they are included in the same level as those they need.
These organisations may actually prefer to pick and choose requirements from different levels. Therefore, a better approach may be to simply refer to assurance profiles that are scoped against the specific needs of each community, allowing them to be more effectively tailored to their actual requirements. These assurance profiles may overlap in terms of hierarchical notions of strength and leave out certain sections of traditional profiles altogether. This approach is in line with the discussions of the Vectors of Trust (VoT) group within the IETF.
Although the FIM4R paper was written in 2013, the issue of assurance remains open to this day. Some federations, e.g. InCommon (USA) and SWAMID (Sweden), have made attempts to roll out assurance profiles, which however have not produced definitive results. In order to help IdPs within eduGAIN as well as research communities, GÉANT and the Authentication and Authorisation for Research and Collaboration (AARC) project are approaching the issue from two different angles. GÉANT is addressing the aspects relating to federations and IdPs, with the objective of reducing their costs, while AARC is looking at the question from the perspective of research communities and SPs. These two approaches, which are complementary, were presented in a White Paper, which addresses the service aspects of Levels of Assurance, outlining the findings of the surveys carried out of the federations and IdPs, as well as the results of internal dialogues with the IdPs. These results were then compared with the insights provided by AARC, to draw up a set of recommendations. The “sister” report from AARC is also available on the AARC website.
The subtask carried out an analysis of the existing state of assurance to determine feasibility of a service. The federation landscape in terms of assurance appears to be quite diverse. Federations differ in the way in which they assist IdPs. Some, such as Haka (Finland) and SURFnet (Netherlands), offer a self-assessment tool to measure the maturity of IdPs, while many others only define minimum requirements. The IdPs of the Danish federation WAYF are considered public organisations, and are required to comply with IT security rules (ISO 27001) and be audited.
The various definitions of assurance also differ. The German federation DFN-AAI established its own LoA with two classes, Basic and Advanced, focusing on three different aspects (registration and original identification, update of information, and authentication). InCommon, the US federation, adapted NIST Special Publication 800-63, calling the two lowest levels Bronze and Silver. The Swedish federation SWAMID has started to roll out assurance based on the Kantara Identity Assurance Framework (IAF) that introduces Assurance Levels (ALs). SWAMID AL1 is a subset of Kantara IAF AL1. In parallel, the AARC project conducted guided interviews with SP and research community representatives to gain a greater understanding of requirements from the perspective of the services. The survey helped to verify a proposed assurance baseline as the minimum standard for research communities, including the following requirements:
- Individual accounts (i.e. no shared accounts).
- Persistent, non-reassigned identifiers.
- Documented identity vetting, not necessarily face-to-face.
- Password authentication including some good practices.
- Departing user’s ePA changes promptly.
- Self-assessment of LoA supported with specific guidelines.
- Incident response in a later step.
Comparing the results of the questionnaire against the baseline, the following areas for improvement were identified:
- Non re-assigned identifiers: although persistent identifiers (such as eduPersonPrincipalName) are used, many Identity Providers currently reassign them.
- Documented identity vetting: although IdPs have a vetting process in place, this is not always documented.
- Departing user’s ePA changes promptly: the time it takes to change user data is between 2 weeks and 6 months. As closing accounts depends on internal processes and some universities have alumni accounts, the eduPerson(Scoped)Affiliation should be updated within 1 month.
- Self-assessment of assurance supported with specific guidelines: in order to set guidelines, a template needs to be designed, which can then be used for self-assessment.
- Incident response: Security Incident Response Trust Framework for Federated Identity (SIRTFI), but only as a later step, since SIRTFI as well as the related minimum assurance requirements have only recently been introduced. SIRTFI enables coordination of security incident response across federated organisations.
The implementation of assurance seems in general problematic. In Germany, although requirements are low, they still prove too high for many IdPs, resulting in a simplification of requirements on the part of federation operators. In the US, even though a formal LoA was introduced, five IdPs managed to obtain the Bronze certification and only one IdP received the Silver. The Swedish federation had more success while introducing Kantara AL2 for eduID.se thanks to a national requirement linked to student registration. Nevertheless, the cost for its introduction was significant, at between €20-50 per account just for eduID.
Even relatively small countries such as Switzerland have hundreds of thousands of accounts within the SWITCHaai federation. Consequently, IdPs also have costs and need manpower to reach a higher LoA, so assurance as a default feature would do away with the value proposition of federated identity for many such organisations.
A common problem that exists in today’s R&E federation landscape is that it is difficult to quantify the specific degree of assurance that is offered by federations. All federations provide a baseline of assurance through the practices articulated in their policies, operational practice guides and technical requirements for participants. Federations are also expected to reach standards through participation in initiatives such as eduGAIN. There is however no consistent mapping of these expectations.
This problem is recognised by the community and parallel efforts to better describe and document the baseline practices of federations is underway, with a proposed Metadata Registration Practice Template being prepared for eduGAIN participants. Improved mapping of the baseline behaviour of federations will in turn inform a better understanding of the baseline expectations for IdPs.
Recommendations for further work
From the above analysis, the following recommendations for assurance can be derived:
- Work should be carried out in collaboration with AARC before it ends in 2017, to finalise and document a baseline assurance profile for IdPs, mapped to the requirements identified by AARC. Work on best practice in some areas (e.g. password authentication practice) is still required.
- The creation of a self-assessment template / tool should be investigated, with the best recommended being a GÉANT web tool, combined with SIRTFI and other monitoring/testing tools, including recommendations and best practices. This would help address documentation requirements from the AARC minimum set. Collated information would then make it easier for research providers to see where their requirements are met.
- The status quo of reassignment of identifiers should be addressed by working with REFEDS to survey the problem space and possible solutions to this embedded practice by organisations. This may include changing general recommendations on identifiers in current common documentation.
- Work with REFEDS and AARC on maturing the SIRTFI approach to incident response should be continued.
- Peer (pairwise) auditing should be implemented for those IdPs that need to document their approach against the GÉANT assurance profile in order to verify compliance, with lower costs than external audits. The results of these audits can be displayed in the web tool described above.
- Second-factor authentication should be considered: GÉANT could offer this as a service, provide a best practice profile within eduGAIN or procure a Duo-type solution for the community sectors that need it. This would require a separate business case.
- GÉANT should develop federation maturity reports aimed at managers, helping to improve the maturity of federations at a general level and to support the federations in attaining the manpower and funding to reach these goals.
- eduGAIN should work to ensure that all federation operators subscribe to a Metadata Registration Practice Statement that complies with the recommended standard template.