170 likes | 455 Vues
OIX initiative , US only ?. Mapping Swedish Academic Identity Federation 2.0 Policy Framework to Open Identity Exchange (OIX) Trust Framework Provider Assessment Package Pål Axelsson, Uppsala universitet / SWAMID Valter Nordh, Göteborgs universitet / SWAMID. Agenda - outline.
E N D
OIX initiative, US only? Mapping Swedish Academic Identity Federation 2.0 Policy FrameworktoOpen Identity Exchange (OIX) Trust Framework Provider Assessment Package Pål Axelsson, Uppsala universitet / SWAMIDValter Nordh, Göteborgs universitet / SWAMID
Agenda - outline • Brief introduction to SWAMID and Sweden • Legal structure of the Swedish educational system • SWAMID Policy OIX mapping with highlights • Conclusion
Swedish Academic Identity Federation (SWAMID) • SWAMID is operated by the Swedish NREN SUNET • SWAMID 2.0 Policy Framework • The SWAMID Policy describes governance, membership and scope • The Identity Assurance Profiles describes levels of trust in claims and organizations • The Federation Technology Profiles describe concrete realizations of the Policy and Assurance Profiles in terms of specific technologies (eg SAML, eduroam etc) • Identity providers must be members and represent the interest of Swedish higher educational institutions (HEI) • Service providers doesn't need to be members.
Statisticsabout Sweden • National data • 449,964 sq km (slightly larger than California) • 9,4M people in Sweden • 21 persons per sqm • Higher education • 369,000 individual students per year • 321,000 full-time equivalent students per year • 50 HEI (universities and university colleges) with the right to award higher education qualifications • 35 members in SWAMID
Legal structure of the Swedish educational system • Most higher education in Sweden is done by educational governmental agencies. • This means that a most HEI is considered as a part of the Swedish government. • An agency of the Swedish government is by Swedish law only accountable in a Swedish court or EU court with regards to exercise of governmental authority. • Privately owned HEI is mostly governed by the same laws and bylaws. • All Swedish higher education qualifications and awarding HEI is directly accredited in the government bylaw Higher Education Ordinance enclosure System of Qualification.
SWAMID Policy to OIX mapping INITIAL GOALSWAMID Federation Operator asOIX Registered Accessorat LoA1 • In the next set of slides we'll present the mapping from SWAMID 2.0 Policy Framework to OIX Trust Framework Provider Assessment Package. • We highlight investigation areas in their own slides.
Table 2 a4: Verify IdP has the financial capacity to manage the risks associated with serving as an identity provider on behalf of the Federal government OIX Applicants Response Registered Assessor must review IdP’s financial statements and verify that IdP has adequate insurance policies and limits, including Errors and Omissions coverage of at least $2,000,000, Directors and Offices coverage, and any other applicable policies. SWAMIDs finding Most SWAMID members are Swedish government agencies and as such are not allowed to buy regular insurance. Instead the The Legal, Financial and Administrative Services Agency (kammarkollegiet) provides insurance to government agencies. This insurance coverage is optional. All but a very small number of universities and university colleges are covered and the minimum coverage is 10MSEK which at todays $ rate is approximately 1.5MUSD. A typical large-scale university (Chalmers) that is a foundation (and not a government agency) are privately covered at 5 times this amount. However this requirement may be problematic and will in all likelihood prevent us from adjoining all SWAMID IdPs in an OIX upstream.
Table 2 a5: Verify IdP has understanding of, and compliance with any legal requirements incumbent on the IdP in connection to serving as an identity… …provider on behalf of the Federal government. OIX Applicants Response IdPis required to submit a written statement confirming the OIX Membership requirement of compliance with applicable law including compliance with the legal requirements in Table 1, row e, and with any other legal requirements that may be in effect for the jurisdiction in which the IdP operates. Registered Assessor must interview IdP regarding its understanding of these requirements and the policies and procedures it uses to comply with these requirements. SWAMIDs finding This requirement may pose a problem if we want to join all IdPs to an OIX upstream. Many IdPs will not see the value in learning enough US law to be able to comply with this requirement. Please note that an agency of the Swedish government is by Swedish law only accountable in a Swedish court or EU court with regards to exercise of governmental authority.
Table 3 a: Opt In – Identity Provider must obtain positive confirmation from the End User before any End User information is transmitted to any… …government applications. The End User must be able to see each attribute that is to be transmitted as part of the Opt In process. Identity Provider should allow End Users to opt out of individual attributes for each transaction. OIX Applicants Response IdPmust provide Registered Assessor with documentation of how it conforms to this requirement and give specific examples. Registered Assessor must verify that the documented IdP practices conform to this requirement. SWAMIDs finding This requires each IdP to deploy a consent module with the accept-and-remember function turned off. This will be an issue for a large set of IdPs due to it's user unfriendliness. There is no consent module today for Shibboleth that has a per Service Provider setting for turning off accept-and-remember.
Table 3 c: Activity Tracking – Identity Provider must not disclose information on End User activities with the government to any party, or use the information… …for any purpose other than federated authentication. RP Application use of PII must be consistent with RP PIA as required by the E-Government Act of 2002. OIX Applicants Response IdPmust provide Registered Assessor with documentation of how it conforms to this requirement. NOTE: The last sentence of this requirement is not applicable to IdPs. Registered Assessor must verify that the documented IdP practices conform to this requirement. SWAMIDs finding What about legal intercepts due to national legislation some built on EU directives? What about statistics gathering and reporting?
Table 3 d: Adequate Notice – Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes… …a general description of the authentication event, any transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or transmission of PII to any party. Adequate Notice should be incorporated into the Opt In process. OIX Applicants Response IdPmust provide Registered Assessor with documentation of how it conforms to this requirement and give specific examples. Registered Assessor must verify that the documented IdP practices conform to this requirement. SWAMIDs finding This could be fulfilled by requiring a consent-module activated for the OIX RP. Possibly not consent as such but certainly the IdP needs to notify the user when the authentication happens. Would the default login page for shibboleth 2.3.0 fulfill these requirements?
Table 7A 6: Some effort should be made to uniquely identify and track applications. OIX Applicants Response (“Applications” means “requests for token”.) IdP must show it has reasonable means to ensure that the same party acts throughout the registration, and token and credential issuance processes as may be specified in NIST 800-63 or equivalent. SWAMIDs finding This should be covered by the identity management practice statement. We need to understand this requirement better. Is it about using nonces to track a subject through the various stages of the application and registration process?
UK Access Management Federation Nicole Harris • UK federation operated by JISC Collections and EDINA • UK federation policy framework: • Short ‘Rules of Membership’, • ‘Section 6’ only current assurance profile, • Technical recommendations for participants. • Currently 99% Higher Education, 80% Further Education, plus some schools (K12) coverage. • 880 members, 1280 entities.
UK Assessment Nicole Harris • UK focus to date on low-level assurance; • UK federation dealing with K-99 – large range of assurance requirements; • ’Pain points’ the same as the SWAMID findings; • How do we technically manage an OIX aggregate for metadata? • We will not seek to up-lift all IdPs in the UK federation to this level.
Conclusions Moving away from technical issues toward primarily legal but also economic aspects. Main problem areas: • US Legal requirements vs. Swedish national legislation • Strict opt-in requirements • Legal requirements • User friendliness vs. data protection • Insurance requirements
About • SWEDEN.SE: Sweden in briefhttp://www.sweden.se/eng/Home/Quick-facts/Sweden-in-brief/ • About Sweden from Wikipedia.orghttp://en.wikipedia.org/wiki/Sweden • SWAMID 2.0 Policyhttp://www.swamid.se/11/policy/swamid-2.0.html(Page is in Swedish but the policy framework documents are in English) • National qualifications framework in Swedenhttp://hsv.se/highereducationinsweden/nationalqualificationsframework.4.5dc5cfca11dd92979c480001476.html • OIX Trust Framework Provider Assessment Packagehttp://openidentityexchange.org/sites/default/files/oix-us-icam-loa1-tfp-assessment-package-2010-02-12.pdf