...
NIH would like to have qualified InCommon IdPs put assurance labels on SAML assertions sent to the NIH federation gateway, for ultimate consumption by NIH apps that can use identity assurance in their risk processing. InCommon is establishing an assurance program (http://www.incommon.org/assurance/) to qualify IdPs under the InCommon Identity Assurance Framework. This Framework is being reviewed by FICAM for acceptance under its TFPAP. Once all the approvals are worked out and the program is under way, there will need to be technical interoperability to support the program policy goals.
Technical issues Issues include:
Overall technical approach: We assume it is in everyone's interest to follow the standard described in http://wiki.oasis-open.org/security/SAML2IDAssuranceProfile . This doc, however, specifies a relatively new use of a SAML feature (AuthnContext) that has been little-used, so software support is uncertain, and usage patterns are not well-established. A fallback approach would be to use a SAML attribute to represent the assurance qualifier in the assertion.
...
- The NIH gateway will use the InCommon LoA URIs when making requests of InCommon IdPs, and accept them in responses. Requests will use the "exact match" matching rule, which is supported in the current Shibboleth IdP.
ERA or other app requirements? : ERA is talking about being ready to federate by October 2011. Probably only some of its functions would require Level 2. Will this mean "step-up" authentication in a single session in some fashion? This will be discussed with ERA.
NIH gateway capability to send AuthnRequest on-demand, and process AuthnContexts? : It is not clear whether the gateway product has support for configurable/dynamic AuthnRequest generation, or handling of non-built-in AuthnContext responses. The vendor will be contacted about this. Testing will happen at some point, probably just intra-NIH, using and NIH test Shib IdP.
NIH gateway capability to obtain LoA certification info from metadata? : InC will publish Bronze and Silver certification info in its standard metadata. It would be preferable for NIH just to use that, so they'll look into it, but it's not necessary.
Shibboleth IdP capability to respond with correct AuthnContext on-demand, and integration with backing IdMS? : The Shib IdP can support sending different AuthnContexts, and can deal with processing incoming AuthnRequests with the exactmatch rule. How this integrates with the local authentication process, and backend IdMS features, is a local matter, but one where advice will need to be provided. On the InC someone will need to demonstrate the capability and document configuration steps and issues. This can be done with InC-side resources.
NIH review of InCommon 1.1 Assurance docs for compatibility with their notions of Level 1 and Level 2 : NIH will need to review the new InC Assurance docs separately from ICAM, since NIH probably wants to move more quickly, and InC and NIH have had a history of pairwise MoUs. This can start once the 1.1 docs are approved by InC Steering.
Use of Bronze/Level 1? : Under the existing MoU between InCommon and NIH, all InCommon IdPs are accepted as Level 1 without needing InCommon Bronze certification. Will this continue to be true indefinitely or will NIH be wanting Bronze certification for Level 1 equivalence at some point?
...