using levels of assurance well, at least thinking about it…. max (just max)
TRANSCRIPT
Using Levels of Assurance
Well, at least thinking about it….MAX (just MAX)
Agenda
• A little bit about me• Level Set• Issues of LOA determination• LOA’s all around us• Practical concerns about LOA's• Discussion/Questions
just MAX?
• Rocking chair in September 2007• Systems and Networking Operations• Shibboleth IdP Operation (I herd the
cats)
PSU and Shibboleth
• WebAssign - Physics course assignments– http://www.webassign.net/info/shibboleth.html
• Napster• TurnItIn, Symplicity, LionShare• eAuth demo at Fall Internet2 Member
Meeting• PHEAA, Library
Level Set
Level Set (cont.)
Level Set (cont.)
Issues of LOA Determination
• Multiple identification realms within a single domain
• Authoritative sources differ among realms
• Collecting information from various Registration Authorities– Examples: (Admissions, Registrar, Human
Resources, World Campus, Direct User Input)
Issues of LOA Determination (cont.)
• Various Levels of Identity Proofing– Faxing a photo identification– Tuition payment– Signature Stations– 2nd Factor Authentication
What is a Signature Station?
Start AD20 Agreement
AD54 Agreement
Library Agreement
Display Password
Newswire?Printing? Newswire Agreement
Printing Agreement
EndSign For Account
No
No
Yes Yes
• GPG Encrypt Signature
• Request E-mail join
• Save all agreements
LOA’s All Around Us
• OMB guidance defines four levels of assurance– Level 1: Little or no confidence in asserted
identity’s validity– Level 2: Some confidence in asserted identity’s
validity– Level 3: High confidence in asserted identity's
validity– Level 4: Very high confidence in asserted
identity’s validity
LOA’s All Around Us (cont.)
• InCommon Federation– Bronze– Silver
• http://www.incommonfederation.org/docs/drafts/
– Metal of the day
LOA’s All Around Us (cont.)
• Making identity assertions with a LOA– Just use Shibboleth and treat it like any other
attribute– Without Shibboleth... It’s the same old story
• Establish trust• Security of the communication
• Architecture of the eAuthentication demo– Install/configure the Shibboleth eAuth plugin
• Plugin has a built in LOA 1 assertion– Exchanging certificates
Practical concerns about LOA's
• LOA for an identity, or for an Identity Provider?– Identity Proofing methods
• Determination about an identity– Credential Assessment Framework (CAF)
• Determination about the Credential Provider– Handling of passwords– Detecting password attacks
• Does the LOA need “adjusted”?– User forgets password/password reset– Password attack is detected– Require by a business process– Process for restoring an “adjusted” LOA
Practical concerns about LOA's (cont.)
• Identifying applications and LOA requirements– On-line general advising– Email– Course Management Software– E-signatures
• Supporting the users– Helpdesk calls for broken applications caused
by “adjusted” LOA
Discussion/Questions
• “If you have truly done your part to make this interactive, the discussion has all been addressed!”
• Contact Information– Mark “Max” Miller
Senior Systems Engineer Penn State – ITS [email protected]
Copyright
Copyright Mark Miller 2007. This work is the intellectual property ofthe author. Permission is granted for this material to be shared fornon-commercial, educational purposes, provided that this copyrightstatement appears on the reproduced materials and notice is given thatthe copying is by permission of the author. To disseminate otherwise orto republish requires written permission from the author.