At the recent TERENA AAI Workshop, I led a small group in discussing how we can practically address the assurance requirements for our user communities. It is one of the most often quoted reasons for not using existing Identity Federations; however finding a pragmatic solution to the issues has proven difficult. Whilst Service Providers want to be able to place greater trust in Identity Providers, the cost and impact of traditional “Levels of Assurance” (LOA) means that very few Identity Provider organisations are able to raise the bar high enough to commit to such audited schemes.
REFEDS has started looking at ways that the trust bar can be raised without the need for a full assurance programme to be put in place – the Research and Scholarship Entity Category is an example, as is the joint GEANT / REFEDS work on the Code of Conduct. These efforts look at ways to raise the confidence around key criteria rather than defining a “level” of assurance across the complete identity system; as such they are more akin to lightweight assurance profiles than LOAs.
Another area where REFEDS is seeking to provide more assurance to Federation Members is through the template Federation Operator Practice Statement (FOP). This draft work is intended to encourage Federation Operators to meet a common standard of operational practice and most importantly to publish this practice in a series of statements that easily findable and readable. This will give Federation Members an easier way to check practice against core concerns, such as metadata registration.
The group at the AAI workshop looked to identify very pragmatic actions that can be taken to support the assurance needs of our communities. The following actions were suggested:
- Ask user communities to define what their specific requirements are in terms of user stories and core competencies rather than holistic “levels”. This might be “I need assurance that IdPs will report security
incidents to me”. This could lead to the creation of common core, but bespoke, assurance profiles. - Review the needs of communities to see if strong authentication would meet needs as opposed to full assurance.
- Use mechanisms to allow SPs to determine an amount of reasonable trust through published documents it was felt that the proposed REFEDS Metadata Registration Practice Statement and Key Management Practice Statement approach would help here.
- Absence of documented processes is a real problem. How do SPs know what the assumed standard for Fed Ops and IdPs are? A Template for Identity Management Practice Statement for IdPs that is widely implemented would be appreciated.
- Are bilateral arrangements for specific requirements a pragmatic answer for some SPs?
- Stop behaviour that is seen as bad assurance practice by some SPs – such as recycling ePPN (eduPerson Principal Name).
- Review processes that allow different assurance to be applied to different categories within the IdP – for example applying different assurance to staff, student and affiliate identities.
- Make eduPersonAssurance correct for all IdPs, even if it says level 0. Then SPs can filter on this.
- Undertake lightweight federations health assessments — and provide a check list of what federations offer in terms of assurance issues. Could be voluntary via an annual survey.
These ideas have been fed in to the planning work for REFEDS, GEANT and upcoming EU calls and we look forward to exploring further opportunities to address pragmatic assurance.