REFEDS Assurance Suite�

IAM Online 13 December 2018

Mikael Linden, REFEDS assurance wg chair, mikael.linden@csc.fi

Jule Ziegler, GN4-2 assurance subtask lead, ziegler@lrz.de�

Outline

• The assurance challenge
• REFEDS Assurance Framework
• Single-factor authentication SFA
• Multi-factor authentication MFA
• Testing it

The assurance challenge

Service Provider

eduGAIN interfederation

Home University/Institution

Identity Provider

Local federation

Service Provider

How was the registration/Identity Proofing done?

Is that even a shared account (libraryuser1@university.org)?

Can this user ID be later reassigned to some other person?

How fresh is that affiliation information?

How was the user authentication done?

REFEDS Assurance suite

• REFEDS Assurance Framework (RAF) ver 1.0
• Approved and published
• https://refeds.org/assurance

​

• REFEDS Single-factor authentication profile (SFA) ver 1.0
• Approved and published
• https://refeds.org/profile/sfa

​

• REFEDS Multi-factor authentication profile (MFA) ver 1.0
• approved in June 2017
• https://refeds.org/profile/sfa

​

​

​

​

The big picture of assurance in REFEDS

Identifiers

ID proofing

​

Authentication

Attributes

ID is unique, personal and traceable

ePPN is unique, personal and traceable

Low �(self-asserted)

Medium�(e.g. postal credential delivery)

High

(e.g. F2F)

Single-factor authentication

Multi-factor authentication

Affiliation freshness �1 month

Affiliation freshness �1 day

Split of responsibility between REFEDS specs�

Identifiers

ID proofing

​

Authentication

Attributes

ID is unique, personal and traceable

ePPN is unique, personal and traceable

Low �(self-asserted)

Medium�(e.g. postal credential delivery)

High

(e.g. F2F)

Single-factor authentication

Multi-factor authentication

Affiliation freshness �1 month

Affiliation freshness �1 day

REFEDS Assurance framework (RAF)

AuthN profiles

Separate specification: REFEDS Single-Factor Authentication (SFA)

Separate specification: REFEDS Multi-Factor Authentication (MFA)

Assurance Framework assertions and profiles

​

To be expressed by the CSP in the eduPersonAssurance attribute

$PREFIX$=https://refeds.org/assurance

RAF values for properties of identifiers

Identifiers

ID proofing

​

Authentication

Attributes

ID is unique, personal and traceable

ePPN is unique, personal and traceable

Low �(self-asserted)

Medium�(e.g. postal credential delivery)

High

(e.g. F2F)

Single-factor authentication

Multi-factor authentication

Affiliation freshness �1 month

Affiliation freshness �1 day

eduPersonAssurance=$PREFIX$/ID/unique

1. The user identifier represents a single natural person
2. The CSP can contact the person to whom the identifier is issued
3. The user identifier is never re-assigned
4. The user identifier is eduPersonUniqueID, SAML 2.0 persistent nameId, subject-id or pairwise-id or OIDC sub (public or pairwise)

eduPersonAssurance=$PREFIX$/ID/no-eppn-reassign

- eduPersonPrincipalName value has properties 1-3 (see above).

​

eduPersonAssurance=$PREFIX$/ID/eppn-reassign-1y

- eduPersonPrincipalName value has properties 1-2 (see above) but may be re-assigned after a hiatus period of 1 year or longer.

RAF values for identity proofing

Identifiers

ID proofing

​

Authentication

Attributes

ID is unique, personal and traceable

ePPN is unique, personal and traceable

Low �(self-asserted)

Medium�(e.g. postal credential delivery)

High

(e.g. F2F)

Single-factor authentication

Multi-factor authentication

Affiliation freshness �1 month

Affiliation freshness �1 day

eduPersonAssurance=$PREFIX$/IAP/low

• sections 5.1.2-5.1.2.9 & 5.1.3 of Kantara AL1
• IGTF level DOGWOOD or ASPEN

Identity proofing and credential issuance, renewal, and replacement qualify to any of…

eduPersonAssurance=$PREFIX$/IAP/medium

• sections 5.2.2-5.2.2.9, 5.2.2.12&5.2.3 of Kantara AL2
• IGTF level BIRCH or CEDAR
• section 2.1.2, 2.2.2 and 2.2.4 of eIDAS low

eduPersonAssurance=$PREFIX$/IAP/high

• section 5.3.2-5.3.2.9, 5.3.2.12&5.3.3 of Kantara AL3
• section 2.1.2, 2.2.2 and 2.2.4 of eIDAS substantial

RAF values for attribute freshness

Identifiers

ID proofing

​

Authentication

Attributes

ID is unique, personal and traceable

ePPN is unique, personal and traceable

Low �(self-asserted)

Medium�(e.g. postal credential delivery)

High

(e.g. F2F)

Single-factor authentication

Multi-factor authentication

Affiliation freshness �1 month

Affiliation freshness �1 day

eduPersonAssurance=$PREFIX$/ATP/ePA-1m

• eduPersonAffiliation, eduPersonScopedAffiliation and eduPersonPrimaryAffiliation attributes (if populated and released to the RP) reflect user’s departure within 31 days time

eduPersonAssurance=$PREFIX$/ATP/ePA-1d

• eduPersonAffiliation, eduPersonScopedAffiliation and eduPersonPrimaryAffiliation attributes (if populated and released to the RP) reflect user’s departure within one days time

Departure = organisation (its business process) decides a person no more qualifies to that organisational role.

This attribute describes maximum “IT lag” after the decision.

RAF conformance criteria

REFEDS Assurance framework (RAF)

Identifiers

ID proofing

​

Attributes

ID is unique, personal and traceable

ePPN is unique, personal and traceable

Low �(self-asserted)

Medium�(e.g. postal credential delivery)

High

(e.g. F2F)

Affiliation freshness �1 month

Affiliation freshness �1 day

In all cases the CSP MUST (baseline expectations for Identity Providers):

​

1. The Identity Provider is operated with organizational-level authority
2. The Identity Provider is trusted enough that it is (or it could be) used to access the organization’s own systems
3. Generally-accepted security practices are applied to the Identity Provider
4. Federation metadata is accurate, complete, and includes at least one of the following: support, technical, admin, or security contacts

​

A CSP indicates its conformance to this profile by asserting $PREFIX$.

“Cappuccino” for low-risk research use cases�

Identifiers

ID proofing

​

Authentication

Attributes

ID is unique, personal and traceable

ePPN is unique, personal and traceable

Low �(self-asserted)

Medium�(e.g. postal credential delivery)

High

(e.g. F2F)

Single-factor authentication

Multi-factor authentication

Affiliation freshness �1 month

Affiliation freshness �1 day

REFEDS Assurance framework (RAF)

AuthN profiles

”Goes with”

“Espresso” for more demanding use cases�

Identifiers

ID proofing

​

Authentication

Attributes

ID is unique, personal and traceable

ePPN is unique, personal and traceable

Low �(self-asserted)

Medium�(e.g. postal credential delivery)

High

(e.g. F2F)

Single-factor authentication

Multi-factor authentication

Affiliation freshness �1 month

Affiliation freshness �1 day

REFEDS Assurance framework (RAF)

AuthN profiles

”Goes with”

Single-factor authentication profile

​

https://refeds.org/profile/sfa

To be expressed by the CSP in the AuthnContextClassRef (SAML) or acr claim (OIDC)

​

SFA profile requirements

Identifiers

ID proofing

​

Authentication

Attributes

ID is unique, personal and traceable

ePPN is unique, personal and traceable

Low �(self-asserted)

Medium�(e.g. postal credential delivery)

High

(e.g. F2F)

Single-factor authentication

Multi-factor authentication

Affiliation freshness �1 month

Affiliation freshness �1 day

Further SFA requirements

• Protection against online guessing (e.g. rate limiting).
• Secrets cryptographically protected at rest and in online transit

SFA requirements:�Replacement of a lost authentication factor

• An existing secret must not be sent to the user (e.g. a stored password).
• The replacement procedure does not solely rely on knowledge-based authentication (e.g. answer a secret question).
• Human based procedures (e.g. service desk) ensure a comparable level of assurance of the requesting user identity as the initial identity vetting.
• In order to restore a lost authentication factor, an OTP may be sent to the users address of record.
• For authenticators which are provided to the user as a backup, all requirements of the corresponding authentication factor apply.

Multi-factor authentication profile

​

https://refeds.org/profile/mfa

To be expressed by the CSP in the AuthnContextClassRef (SAML) or acr claim (OIDC)�

MFA profile requirements

Identifiers

ID proofing

​

Authentication

Attributes

ID is unique, personal and traceable

ePPN is unique, personal and traceable

Low �(self-asserted)

Medium�(e.g. postal credential delivery)

High

(e.g. F2F)

Single-factor authentication

Multi-factor authentication

Affiliation freshness �1 month

Affiliation freshness �1 day

• The authentication of the user’s current session used a combination of at least two of the four distinct types of factors: something you know, something you have, something you are, something you do)
• The factors are independent (access to one factor does not by itself grant access to other factors)
• The combination of the factors mitigates single-factor only risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor

Configuring and testing IdP

Configuring IdP products

Shibboleth:

• https://wiki.refeds.org/x/MYBRAg

SimpleSAMLphp:

• please contribute to REFEDS wiki!

Microsoft ADFS:

• custom attributes (eduPersonAssurance) supported
• custom authentication contexts not supported

https://attribute-viewer.aai.switch.ch/aai/

RAF values released by your IdP

You can ask the test SP to request particular authentication context and display IdP’s response

What RAF/SFA/MFA does not cover

• no SAML2 metadata defined
• no technical requirements for federation operator metadata management
• no conformance check program defined
• self-assessment of the CSP
• use SWITCHaai attribute viewer for testing technical conformance

Questions?

The work has been funded by

AARC, AARC2 and GN4 projects