REFEDS is developing template Federation Operator Practice guidelines. These guidelines are aimed at helping emerging and existing Identity Federations build a series of statements to describe their Federation Operator Practice (FOP). The FOP is designed to help parties understand the technical processes a Federation undertakes to create the Federation trust framework. It is designed to be a companion document to the Identity Federation Policy document and as such should work in a similar way. As with the Federation policy, sections of the FOP may point or link to other documents or parts of the Federation website to demonstrate compliance or practice rather than include these processes directly in the FOP document. One way of looking at the documents is that policy deals with WHO can be in a Federation and WHAT they can do, whereas the FOP deals with HOW the Federation ensures these rules are kept.
The template will consist of five sections:
- Key Management Practice Statement: this describes key management undertaken by the federation operator.
- Metadata Registration Practice Statement: this describes the federation operator registration practices, including eligibility.
- Metadata Publication Practice Statement: this describes the federation operation metadata publication practices.
- Monitoring Practice Statement: this describes activities undertaken by the federation operator to monitor entities and operations to ensure uptime, reliability or accuracy.
- Assurance Practice Statement: this describes the assurance processes that are supported by the given federation. Examples might be references to InCommon gold, or the UK federation "section 6".
From Mikael, not to do with text:
- As a security professional, my approach to FOP is to first define the security goal of the federation operations. My working draft is: “to ensure the integrity and availability of the federation operational systems” such as SAML2 metadata and its delivery and a discovery service (and in a hub&spoke federation, the IdP proxy). I'm not sure if confidentiality needs to be mentioned because there is little confidential in a federation (the metadata signing key is covered by the integrity objective).
- Then I would try to identify what a FOP must cover to meet that goal. In addition KMPS, MRPS, MPS there are also less federation specific security issues such as adequate HR resources, training, proper patch management of related servers and workstations, Business continuity plan, Disaster recovery plan and trills and all the ordinary security stuff. Also these need to be taken care of to meet the security goal. Yes, I know this makes FOP look like CP/CPS for PKI, and it's not a surprise.
- I wonder if it would be good to have some non-federation-related security people involved in the FOP work. They have quite good experience on developing security practices.
- I'm not sure what "Assurance Practice Statement" is intended to cover. Usually assurance means LoA, which is an IdP issue. I would like to make the FOP focus on the federation operations and keep IdP issues separate. Eat the elephant in small pieces...