| Both sides previous revision Previous revision Next revision | Previous revision |
| en:aai:assurance [2021/12/30 13:10] – [Levels of Assurance and the REFEDS Assurance Framework] Wolfgang Pempe | en:aai:assurance [2023/01/12 19:21] (current) – [Roadmap for the Transition Process] Wolfgang Pempe |
|---|
| ====== Identity Assurance ====== | ====== Identity Assurance ====== |
| <callout type="danger" title="Work in Progress"> | |
| This page is still under construction! | |
| </callout> | |
| |
| ===== Levels of Assurance and the REFEDS Assurance Framework ===== | ===== Levels of Assurance and the REFEDS Assurance Framework ===== |
| **The reliability of digital identities is an essential factor in the trust fabric of an identity federation like DFN-AAI.** | **The reliability of digital identities is an essential factor in the trust fabric of an identity federation like DFN-AAI.** |
| |
| The concept of the so-called [[en:degrees_of_reliance|Degrees of Reliance]] used in DFN-AAI since 2009 models the different trust levels or Degrees //Test//, //Basic// and //Advanced// via different [[en:metadata|metadata sets]]. Service providers perform a risk assessment and, depending on the protection requirements of the resources in question, configure the respective service provider in such a way that only metadata containing the identity providers of the selected Degree of Reliance are imported. This ensures at the technical level that interaction takes place exclusively with identity providers with whom there exists a basic trust relationship. | The [[https://refeds.org/assurance|REFEDS Assurance Framework]] defines how identity assurance information can be transported via values of the [[de:common_attributes#a14|eduPersonAssurance]] attribute. It enables service providers to address particularly relevant reliability criteria separately (if necessary), depending on individual protection requirements. As a internationally recognized standard, the [[https://refeds.org/assurance|REFEDS Assurance Framework]] is a key factor for the connectivity of the DFN-AAI in the international context. This particularly concerns the support of research communities that depend on cross-federation collaboration via [[https://wiki.geant.org/display/eduGAIN/|eduGAIN]]. |
| |
| The imprecise and internationally incompatible concept of Degrees of Reliance will be replaced in the course of 2022 by the [[https://refeds.org/assurance|REFEDS Assurance Framework]], which covers more criteria than the existing Degrees of Reliance. By transporting identity assurance information via values of the [[de:common_attributes#a14|eduPersonAssurance]] attribute, the REFEDS Assurance Framework enables service providers to address particularly relevant reliability criteria separately (if necessary), depending on individual protection requirements, without having to demand an abstract, opaque set of criteria in the form of a Degree of Reliance. Another motivation for the change is the effort to maintain the connectivity of the DFN-AAI in the international context by implementing an internationally recognized standard. This particularly concerns the support of research communities that depend on cross-federation collaboration via [[https://wiki.geant.org/display/eduGAIN/|eduGAIN]]. | A more detailed presentation (in German) of the facts can be found in [[https://www2.dfn.de/fileadmin/5Presse/DFNMitteilungen/DFN_Mitteilungen_100.pdf|DFN-Mitteilungen Nr. 100]] starting on page 42. |
| | |
| A more detailed presentation (in German) of the facts can be found in [[https://www.dfn.de/fileadmin/5Presse/DFNMitteilungen/DFN_Mitteilungen_100.pdf|DFN-Mitteilungen Nr. 100]] starting on page 42. | |
| |
| ===== Information for Identity Providers ===== | ===== Information for Identity Providers ===== |
| [[en:aai:assurance_sp|REFEDS Assurance Framework implementation notes and configuration examples for SPs]]. | [[en:aai:assurance_sp|REFEDS Assurance Framework implementation notes and configuration examples for SPs]]. |
| |
| ===== Roadmap for the Changeover ===== | ===== Roadmap for the Transition Process ===== |
| * **February 2022:** Workshop(s) on the technical implementation of the [[https://refeds.org/assurance|REFEDS Assurance Frameworks]] - dates to be announced soon. | * **February 2022:** Workshop(s) on the technical implementation of the [[https://refeds.org/assurance|REFEDS Assurance Frameworks]] - dates to be announced soon. |
| * At the **end of March 2022**, the separate metadata sets for the Degrees of Reliance //Advanced// and //Basic// will be abolished. For the productive environment of the DFN-AAI, only two metadata files will then be available, each containing the [[en:metadata|metadata]] of all productive [[https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-idp-metadata.xml|IdPs]] and [[https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-sp-metadata.xml|SPs]]. The metadata administration tool of the DFN-AAI will continue to support the two Degrees //Advanced// and //Basic//. However, the IdP-side conformance to a Degree of Reliance and the related requirements of a Service Provider will then only be available via the corresponding [[en:entity_attributes|Entity Attributes]] in the IdP and SP metadata. This type of labeling has already been implemented for some time. | * **May, 20th <del>end of April</del> 2022**, the separate metadata sets for the Degrees of Reliance //Advanced// and //Basic// will be abolished. For the productive environment of the DFN-AAI, only two metadata files will then be available, each containing the [[en:metadata|metadata]] of all productive [[https://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml|IdPs]] and [[https://www.aai.dfn.de/metadata/dfn-aai-sp-metadata.xml|SPs]]. The metadata administration tool of the DFN-AAI will continue to support the two Degrees //Advanced// and //Basic//. However, the IdP-side conformance to a Degree of Reliance and the related requirements of a Service Provider will then only be available via corresponding Entity Attributes in the IdP and SP metadata. This type of labeling has already been implemented for some time. |
| * At the **end of 2022**, support for the Degrees of Reliance on the part of the DFN-AAI metadata registry and metadata administration tool will be discontinued. As of January 2023, information on the reliability of digital identities in the DFN-AAI will be transported exclusively via the mechanisms of the REFEDS Assurance Framework.. | * **<del>end of 2022</del> January, 12th, 2023**, support for the Degrees of Reliance on the part of the DFN-AAI metadata registry and metadata administration tool will be discontinued. As of January 2023, information on the reliability of digital identities in the DFN-AAI will be transported exclusively via the mechanisms of the REFEDS Assurance Framework.. |
| | |
| | ===== REFEDS Authentication Profiles ===== |
| | * [[https://refeds.org/profile/sfa|Single Factor Authentication Profile]] |
| | * [[https://refeds.org/profile/mfa|Multi-Factor Authentication Profile]] |
| | * FAQ with examples for SP and IdP Operators: https://wiki.refeds.org/display/PRO/MFA+Profile+FAQ |
| | * Shibboleth Wiki: [[https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2114781453/Requiring+Multi-Factor+Authentication|Requiring Multi-Factor Authentication]] |
| | FIXME: More documentation to follow soon |
| | |
| |
| {{tag>assurance}} | {{tag>assurance}} |