AARC and GEANT GN4 projects are studying the Service Provider (SP) communities' (such as research infrastructures/communities, e-infrastructures, communities and research centers) requirements on Level of Assurance (LoA). The survey results will serve the future development of federated authentication and authorization in the set-up where an end user's Home Organisation (e.g. the university or research institute employing the researcher) delivers him/her the authentication credentials and authenticates him/her. The survey results will be published.
1.Introduction to LoA
Narrowly speaking, LoA for user authentication covers two things:
- Identity vetting: how an end user demonstrates his/her identity at the time when s/he receives the authentication credential from his/her Home Organisation (e.g. by presenting government photo-id face-to-face at a registration desk or self-registration on-line with)
- authentication: how an end user proofs his/her identity to his/her Home Organisation's Identity Provider (IdP) server when s/he logs in (e.g. password or multi-factor authentication with a certificate or token)
...
- quality and freshness of user attributes (self-asserted by the user or Home Organisation vetted)
- Home Organisation's ability and willingness to populate and release the attributes to the SPs
The intention is to collect SP communities' needs for the Level of Assurance (LoA) of the identity and authentication provided by research Home Organisations i.e. the universities or other institutes employing the researchers and assigning them user identities.
2. Questions on the research infrastructures/communities
...
- researchers with a Home Organisation (that operates or potentially operates an IdP)?
- citizen scientists?
- students with a Home Organisation (that operates or potentially operates an IdP)?
- else/what?
If you are a research community
- is affiliation of a researcher (user) with your community typically longer lived than any organizational affiliation or employment, or does community membership stem primarily from organizational affiliation?
- do you consider yourself also as a source of (identity) assurance for your community members?
3.Questions on Identity and Authentication
...
- all user identities (accounts in the Home Organisation) belongs to an individual person (i.e. there are no shared accounts like "libraryuser1". Any robot/automated agent is traceable to a named person)?
- and all users are traceable (i.e. the Home Organization knows who they are and can reach them)?
- and the Home Organisation is willing to collaborate with you if you think their user misbehaves in your service?
- That that you (as an SP) can block him/her from your service?
...
- the Home Organization has a documented identity vetting process (whatever it is) in English and you can study it?
- each Home Organisation has a tag machine-readable tag that indicates how the organization carries out identity proofing and the tag is from a well-defined international vocabulary?
- each user in a Home Organisation has the above tag but different and different end users in the organization same organization can have different tags (depending how their identity was initially proofed)?
- The the identity proofing is done face-to-face based on a government photo-ID or equivalent?
...
- Are password-based authentication good enough for you?
- Or should Should passwords have some kind of quality floor? (What kind of quality floor?)
- Do you need two factor authentication? (What kind of?) Are you willing to share its costs?
3.4.Step-up authentication as a service
...
In larger universities the IdP/IdP IdM gathers users' attributes from several registries (payroll system, CRIS (current research information system), student registry) with varying data quality. Some attributes can even be self-asserted by the user him/herself.
...
- Is it enough for you that a Home Organisation self-asserts that it complies with a certain LoA level?
- Should some external body have some enforcement rights (e.g. Home identity federation can remove “compliant” tag from the Home Organisation if there are doubts that a Home Organisation fails its LoA level)?
Are internal periodic self-assessments needed? Should these be reviewed (or open to review) by e.g. the Home identity federation or federation peers?
- Are internal audits needed where the auditors are from an independent organization unit?
- Are external audits needed? Are you willing to share their costs?
...