1 / 12

Attributes & Identity Assurance

Attributes & Identity Assurance. A Challenge for IAPs. Topics include. Trust models and why How are attributes defined? Issues in local vs sector vs national attr. Roles as attributes Issues in data management Issues in attribute mapping Other Interfederation issues Your topics here !.

eulae
Download Presentation

Attributes & Identity Assurance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attributes & Identity Assurance A Challenge for IAPs

  2. Topics include • Trust models and why • How are attributes defined? • Issues in local vs sector vs national attr. • Roles as attributes • Issues in data management • Issues in attribute mapping • Other Interfederation issues • Your topics here !

  3. Identity Assurance • “Identity Assurance” could include many things: • How a Subject was enrolled in the IdMS • How information about the Subject is managed • Nature of most recent authentication event • Whether re-authN can be requested • A “complete” solution is an infinite rathole • Let’s try to address #2, at least lightly

  4. Trust models and why • Asking SP/RPs to relinquish control • Must trust “the assertion of identity” • Everything in the assertion equally? • May include at least some attributes • These may need to be trusted as much as the credential that binds the Subject to the IdMS data • Therefore should IAPs include attributes? • Or maybe we need IAAPs?

  5. A federation’s role • Federation sets rules for its members • Management of identity data • Part of an Identity Assurance Profile? • Current focus is on IdP • SP/RPs are also critical • Commercial interests don’t want constraints • What liability might a federation incur if it claimed to ‘enforce’ data protection and/or privacy rules?

  6. How are attributes defined? • eduPerson, for example • How should it be changed or grow? • Must be a community activity • Involve stakeholders • SP/RPs often don’t understand what they need (vs want). • NIH OrgDN • …

  7. Local vs Sector vs National • Employee ID# is local (or is it?) • Lots of things may be useful locally … • eduPerson is Higher Ed sector • Is it usable for eCommerce? • National, e.g., Homeland Security • Requires absolute Identity • Wants “nationality” but …

  8. Roles as attributes • Roles may reflect eligibility to perform actions or access certain services • “Registrar” • “Purchasing Agent” • “Research Grant Admin” • May need further specification • “Registrar:Student Financial Aid” • “Purchasing Agent:Contract Officer” • “Research Grant Admin:PI” • Who defines the ‘dictionary’ ?

  9. Issues in data management • How are attributes acquired in the IdMS? • Authoritative source (SOA) • Self asserted by Subject • Submitted by third party • … • How are changes made to IdMS data? • How current is the data? • All the usual secure system issues

  10. Issues in attribute mapping • What if federations have different attribute definitions? • Name: {given}{surname} vs {given surname} • International character sets … • Mapping of IAA ? • What if there is no possible map?

  11. Other Interfederation issues • How to instantiate mapping? • Mapping may not be symmetrical • Problem resolution • Change management • Dilution of trust through transitivity • Differing national standards for secure systems management

  12. Discussion • …

More Related