Upload
kalila
View
35
Download
0
Tags:
Embed Size (px)
DESCRIPTION
InCommon Participant Operating Practices: Friend or Foe?. InCommon CAMP 21 June 2010 Paul Caskey, U.T. System. Agenda. Introducing the InCommon POP document Why is the POP Important? Examples of POPs Why might the POP be inappropriate? Introducing “Level of Assurance” (LoA) - PowerPoint PPT Presentation
Citation preview
InCommon CAMP21 June 2010
Paul Caskey, U.T. System
AgendaIntroducing the InCommon POP documentWhy is the POP Important?Examples of POPsWhy might the POP be inappropriate?Introducing “Level of Assurance” (LoA)InCommon assurance framework and profilesIssues/Questions/Discussion…
Introducing the InCommon POP DocumentWhat is it?
Am I required to have a POP?
What goes into the POP?
Who writes it?
Who looks at it?
Does anyone ever check its accuracy?
How do you change it?
Why is the POP Important?*YOU* are now part of my identity mgmt
system and I need to know what types of risk that entails
The foundation of trust is understanding how those you rely on manage identities – the POP is how you achieve that
The “high-value transaction“…Helps you to identify weaknesses in your
processHelps auditors measure your performance
Example of POPsThe InCommon "starter" document
http://www.incommonfederation.org/docs/policies/incommonpop_20080208.html
Institutional:Many are there, but only InCommon registered contacts
can see the URLs – some campuses feel this is sensitive information.
https://wiki.cac.washington.edu/display/infra/Shibboleth+for+UW+Web+Applications
http://its.lafayette.edu/about/policies/InCommonPoP http://www.cit.cornell.edu/identity/InCommon.html
System-based:UT System:
https://idm.utsystem.edu/utfed/MemberOperatingPractices.pdf
Federation-based:U.K. Federation:
http://www.ukfederation.org.uk/content/Documents/FedDocs
Why might the POP be inappropriate?Some are inclined to “hide” them (or URLs get
changed)
Strong desire to “make it look good” or “how we plan on things working”
Can be speculative in terms of how things really work
POPs can become stale (practices/technologies change)
POPs are rarely/never verified (the “A” word…)
So, there needs to be some “teeth” in the operating practices to promote trust among participants……..
Introducing “Level of Assurance” (LoA)…What is LoA?What is LoA NOT?Why is it stronger than a POP?Who gets to set the standards?Examples of LoAHow is the required level determined?How is it used?
The InCommon Assurance FrameworkWhat's an IAP?
Background
How are they used?
Bronze (http://www.incommonfederation.org/docs/assurance/InC_Bronze-Silver_IAP_1.0.1.pdf)
Silver (same URL as above)
How to get started?
Issues/Questions/Discussion…Organization-based versus subject-based?
(the "exception process")What infrastructure is needed to implement
higher LoAs?Is LoA determined only at credentialing time
or should there be a run-time component?What about remote password resets?How urgent is LoA?
Contact Information:Paul Caskey ([email protected])