TF-OpenSpace – Session 2, room yellow. 12 12 February 2014.
Lead by: Ken (Internet2), Brook (TERENA), Kristof (NIIF)
...
Notes: Brook Schofield
Problem:
A merger of 3 topics:
- LoA on Attributes
- What (kinds of) attributes should a VO provide/manage?
- Solve the easy part of LoA: AuthNContext FTW!
For background information see Two Factor Authentication.
Authentication Context Tester from Roland Hedberg https://github.com/rohe/actester
What are all of the....
There are 25 different authentication contexts listed in http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf
Name | Authentication Context | LoA Equivalent Level |
---|---|---|
Internet Protocol | urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol | |
urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:Password | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport | X | |
urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:X509 | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:PGP | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken | ||
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified |
Multicontext ....
A - we can do that now... will the groups be happy about this?!?
Ken: USA Govt - another LoA class that is strong authentication with weak identity vetting.
Under 13 - knowledge base identity vetting..
"Limited liability persona"
Confyrm http://www.confyrm.com/ <-- no idea what they are doing!?!
Metadata Registration Practice Statement (how you register metadata within your federation)
Key Management Practice Statement (how you manage the metadata signing keys)
Template for MRPS
....
https://refeds.terena.org/index.php/REEP_Policy
[ACTION] Nicole to ask the REFEDS list on the topic of AuthnContext