Presentation at REFEDS June 2019: https://docs.google.com/presentation/d/1XWvC3KWNIxPWfvqyXuJ4fnYiAdqVlGXO7u1ZcybO2F4/edit#slide=id.g5bd2982d4c_0_15.
Supporting document for presentation at REFEDS June 2019: https://docs.google.com/document/d/1tv945e5cb5tbS01ZeHFU6MOAbvO6DieWw0fMSHIKxjc/edit
What are the problems we are trying to solve?
Nebulous - improve trust, improve technical integrity??
Specific - get everyone using R&S and Sirtfi?
Changing the rules we have?
Doing more to repair "problems"?
Baseline Expectations of Identity Providers
InCommon Baseline | eduGAIN Baseline | Other Baseline | Actions or Controls | |
---|---|---|---|---|
Authority | IdP01. The IdP is operated with organizational-level authority. | MRPS Statement - Membership and Eligibility. Use of the MRPS is a SHOULD recommendation in the eduGAIN SAML profile. | eduGAIN has started assessing federations against compliance with the MRPS. Need to complete this. | |
Trust | IdP02. The IdP is trusted enough to be used to access the organization’s own systems. | none. | ||
Security | IdP03. Generally-accepted security practices are applied to the IdP. | Sirtfi? | ||
Compliance | IdP03. Federation metadata is accurate, complete, and includes site technical, admin, and security contacts, MDUI information, and privacy policy URL. | Required by eduGAIN: RECOMMENDED: | ||
Ownership | eduGAIN Declaration: The behaviour of any Member of any Participating Federation whose Entity description is published shall continue to be bound only by the rules of that Participating Federation |
Baseline Expectations of Service Providers
InCommon Baseline | eduGAIN Baseline | Other Baseline | Actions or Controls | |
---|---|---|---|---|
Security | SP01. Controls are in place to reasonably secure information and maintain user privacy | CoCo? Sirtfi? | ||
Security | SP02. Information received from IdPs is not shared with third parties without permission and is stored only when necessary for SP’s purpose | |||
Security | SP03. Generally-accepted security practices are applied to the SP | |||
Compliance | SP04. Federation metadata is accurate, complete, and includes site technical, admin, and security contacts, MDUI information, and privacy policy URL | |||
Compliance | SP05. Unless governed by an applicable contract, attributes required to obtain service are appropriate and made known publicly |
Baseline Expectations of Federation Operators
InCommon Baseline | eduGAIN Baseline | Other Baseline | Actions or Controls | |
---|---|---|---|---|
Trust | FO1. Focus on trustworthiness of their Federation as a primary objective and be transparent about such efforts. | eduGAIN Constitution 3.1: Have an agreement defining federation membership between the Federation and its members(typically known as a Federation Policy). eduGAIN Declaration: " It will inform the eduGAIN Operational Team promptly of any changes affecting either the validation of Entities or the process for publishing Entity descriptions." | ||
Security | FO2. Generally-accepted security practices are applied to the Federation’s operational systems. | eduGAIN Constitution 3.1: Provide processes for handling complaints and incidents involving their federation members. No specific control or measure for this. Did agree to collect security contacts for federation operators and ask people to actively state they support Sirtfi. Status? | Federation Operator Security Contacts collection. Still in progress? Mandate Sirtfi? | |
Best Practice | FO3. Good practices are followed to ensure accuracy and authenticity of metadata to enable secure and trustworthy federated transactions. | eduGAIN sets a bar for joining as defined in the Constitution and in operationalising that: https://technical.edugain.org/joining_checklist. | SAML2Int? | https://technical.edugain.org/joining_checklist. https://technical.edugain.org/profile_v2. https://www.ukfederation.org.uk/fed/edugain-import-log-with-diff.txt. |
Compliance | FO4. Frameworks that improve trustworthy use of Federation, such as entity categories, are implemented and adoption by Members is promoted. | |||
Collaboration | FO5. Work with relevant Federation Operators to promote realization of baseline expectations | Collaboration required as part of the eduGAIN Declaration | ||
Technical Integrity | eduGAIN Support is using the UK federation "rules" to chase up problems with entities, but this is unofficial request to comply rather than official. eduGAIN SAML profile sets some requirements, which are monitored by the eduGAIN validator: https://technical.edugain.org/profile_v2. | SAML2Int The "UK rules": https://www.ukfederation.org.uk/fed/edugain-import-log-with-diff.txt. | ||
Constituency | eduGAIN Constitution 3.1: Primarily serve the interests of the education and research sector. |