1 / 7

Campus Identity Management Requirements (=IAP)

Campus Identity Management Requirements (=IAP). REFEDs meeting 7.6.2009 Mikael Linden, mikael.linden@csc.fi. Two aspects for Campus IdM. Campus IdM = the IdM system feeding the IdP with identities (technics+processes) Traditional LoA: Level of Assurance for Authentication

skylar
Download Presentation

Campus Identity Management Requirements (=IAP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Campus Identity Management Requirements (=IAP) REFEDs meeting 7.6.2009 Mikael Linden, mikael.linden@csc.fi

  2. Two aspects for Campus IdM • Campus IdM = the IdM system feeding the IdP with identities (technics+processes) • Traditional LoA: Level of Assurance for Authentication • Initial identity proofing, credential quality etc • NIST 800-63 and EU IDABC/STORK covers only this • Attribute quality (especially, those for authorisation) • ePA=”student” (Has s/he graduated but accounts not closed?) • ePEntitlement=… (Has s/he changed his/her project but entitlement not cancelled?) • Out of scope for NIST 800-63

  3. Implementing Campus IdM • Supplemented by manual processes HR registry Studentregistry Base RegistriesNew identities MetadirectorySyncronise attributes Enterprise directory Unix mail IdP etc Relying systemsoperating systems, applications

  4. Why Campus IdM quality? It Increases Trust! • Earlier poor Campus IdM quality was an internal problem for universities • Now also the federation SPs suffer form it • SPs want to know there is a floor for IdM quality in any IdP Requirements coming, e.g. (”community of practice”) • TERENA Grid Certificate Service Project • CLARIN project

  5. The floor and the steps HigherLoAlevel HigherLoAlevel (e.g. indicatedusing SAML authenticationContext) The IdMqualityfloor EveryIdP in a federation needs to fulfil Hierarchicalornot? What is easyenough to fly?

  6. Assuring the CIdM quality with audits Who makes? • Self-audit • E.g. checklists, questionnaires that home organisations fill in • The federation operator checks the answers • Peer audit • As above, but joining home organisations audit each others • External audit • External auditor makes the audit (1000 EUR a day) When? • When an IdP is registered to the federation • Reqular re-audits?

  7. The Haka way • Common knowledge: some universities in Finland didn’t bother to close accounts for departing users • When Haka policy was outlined, Haka steering group insisted • First do your homework and clean the Campus IdM • Then register your IdP to Haka • Federation operator has published • Minimum requirements • A questionnaire for self-audithttp://www.csc.fi/english/institutions/haka/registration/idm-description • IdP-wannabe fills in and publishes the questionnaire • Haka federation checks that minimum requirements are fulfilled

More Related