Skip to end of metadata
Go to start of metadata

Contents

Resources

Mailing list: federation-baseline@lists.refeds.org.  Join at: https://lists.refeds.org/sympa/info/federation-baseline

Presentation at REFEDS June 2019: https://docs.google.com/presentation/d/1XWvC3KWNIxPWfvqyXuJ4fnYiAdqVlGXO7u1ZcybO2F4/edit?usp=sharing.

Supporting document for presentation at REFEDS June 2019: https://docs.google.com/document/d/1tv945e5cb5tbS01ZeHFU6MOAbvO6DieWw0fMSHIKxjc/edit?usp=sharing

What are the problems we are trying to solve?

  • Nebulous - improve trust, improve technical integrity, improve quality of metadata, improve maturity (R&S).
  • Specific - get everyone using R&S and Sirtfi?
  • Changing the rules we have?
  • Doing more to repair "problems"?
  • Does increasing / changing rules change behaviour? Is policy pointless?
    • Maybe, but process, backed by policy, can change behaviour
  • Do we want to look at something just for FOs?  for entities as well?
  • What are the actions / controls

Baseline Expectations of Identity Providers


InCommon BaselineeduGAIN BaselineOther BaselineActions or Controls
AuthorityIdP01.  The IdP is operated with organizational-level authority.

MRPS Statement - Membership and Eligibility. Use of the MRPS is a SHOULD recommendation in the eduGAIN SAML profile.


eduGAIN Declaration: The behaviour of any Member of any Participating Federation whose Entity description is published shall continue to be bound only by the rules of that Participating Federation.


eduGAIN has started assessing federations against compliance with the MRPS. Need to complete this.
TrustIdP02. The IdP is trusted enough to be used to access the organization’s own systems.none.

SecurityIdP03. Generally-accepted security practices are applied to the IdP.Sirtfi?

ComplianceIdP04. Federation metadata is accurate, complete, and includes site technical, admin, and security contacts, MDUI information, and privacy policy URL.

Required by eduGAIN:
 - technical contact (eduGAIN SAML Profile).
SHOULD:
 - mdui. 

RECOMMENDED:
 - privacy policy in CoCo.
 - security contacts in Sirtfi.


Monitored via various tools.  Some warnings / issues actively chased, others not. 


Baseline Expectations of Service Providers


InCommon BaselineeduGAIN BaselineOther BaselineActions or Controls
SecuritySP01. Controls are in place to reasonably secure information and maintain user privacyCoCo? Sirtfi?

SecuritySP02. Information received from IdPs is not shared with third parties without permission and is stored only when necessary for SP’s purpose
GDPR
SecuritySP03. Generally-accepted security practices are applied to the SPSirtfi?

ComplianceSP04. Federation metadata is accurate, complete, and includes site technical, admin, and security contacts, MDUI information, and privacy policy URL

Required by eduGAIN:
 - technical contact (eduGAIN SAML Profile).
SHOULD:
 - mdui. 

RECOMMENDED:
 - privacy policy in CoCo.
 - security contacts in Sirtfi



ComplianceSP05. Unless governed by an applicable contract, attributes required to obtain service are appropriate and made known publiclyonly via CoCo and R&SAAF: Publish attribute requirements in metadata as RequestedAttribute elements of the AttributeConsumingService.


Baseline Expectations of Federation Operators



InCommon BaselineeduGAIN BaselineOther BaselineActions or Controls
TrustFO1. Focus on trustworthiness of their Federation as a primary objective and be transparent about such efforts.

eduGAIN Constitution 3.1: Have an agreement defining federation membership between the Federation and its members(typically known as a Federation Policy).

eduGAIN Declaration: " It will inform the eduGAIN Operational Team promptly of any changes affecting either the validation of Entities or the process for publishing Entity descriptions."




SecurityFO2. Generally-accepted security practices are applied to the Federation’s operational systems.

eduGAIN Constitution 3.1: Provide processes for handling complaints and incidents involving their federation members.

No specific control or measure for this. Did agree to collect security contacts for federation operators and ask people to actively state they support Sirtfi.  Status?


Federation Operator Security Contacts collection.  Still in progress?

Federation Operator declaring support for Sirtfi . Still in progress.

Mandate Sirtfi?

ComplianceFO3. Good practices are followed to ensure accuracy and authenticity of metadata to enable secure and trustworthy federated transactions.

eduGAIN sets a bar for joining as defined in the Constitution and in operationalising that: https://technical.edugain.org/joining_checklist.


eduGAIN Support is using the UK federation "rules" to chase up problems with entities, but this is unofficial request to comply rather than official.

eduGAIN SAML profile sets some requirements, which are monitored by the eduGAIN validator: https://technical.edugain.org/profile_v2.

SAML2Int

The "UK rules": https://www.ukfederation.org.uk/fed/edugain-import-log-with-diff.txt.

Most of these rules are documented at: InCommon Interfederation Technical Policy

https://technical.edugain.org/joining_checklist.

https://technical.edugain.org/profile_v2.

https://www.ukfederation.org.uk/fed/edugain-import-log-with-diff.txt.

ComplianceFO4. Frameworks that improve trustworthy use of Federation, such as entity categories, are implemented and adoption by Members is promoted.

eduGAIN recommends Current Best Practice documents and provides tools to monitor compliance. 




TrustFO5.  Work with relevant Federation Operators to promote realization of baseline expectationsCollaboration required as part of the eduGAIN Declaration

Authority
eduGAIN  Constitution 3.1: Primarily serve the interests of the education and research sector.




  • No labels