Adobe Connect recording of this Assurance call is available here
Shibboleth IdP v3 and Duo MFA at Assurance Call Wed. Sept. 2, 2015
Multi Factor Authentication (MFA) is a hot topic and the community has been eagerly awaiting proven solutions to integrating Duo Security with Shibboleth IdP v3.
The Assurance call on Wednesday, Sept. 2, 2015 featured
- University of Chicago and Unicon, detailing their solution for integrating Duo with Shibboleth v3, with presenters:
- David Langenberg, University of Chicago
- Jonathan Johnson, Unicon
- Misagh Moayyed, Unicon
- An update from the AAC on the new MFA Profile Interoperability Working Group.
Please mark your calendar:
The InCommon Assurance Call
Wed., July 8 at noon ET
Connection Info:
+1-734-615-7474
+1-866-411-0013 (toll free US/Canada Only)
Access code: 0129048#
On this call, we will introduce:
- Nick Roy, Internet2 director of technology and strategy. See blog.
- Paul Caskey, Internet2 program manager of community trust and practices. See blog.
In addition, Jacob Farmer, Chair of the Assurance Advisory Committee, will present information on the new InCommon Multi-Factor Authentication (MFA) Interoperability Profile working group.
We look forward to seeing you on the call.
The May 6, 2015 InCommon Assurance Call featured two topics:
FIRST HALF OF CALL
Topic: Flexible Vetting: Using a Point System to Verify Identity slides (PDF)
Presenters:
Bert Bee-Lindgren, Identity Management Architect, Georgia Tech
Jesse Rankin, Sr Identity Management Developer, Georgia Tech
SECOND HALF OF CALL
Topic: Community Feedback to SP-800-63-2 slides (PDF)
Discussion led by:
Jacob Farmer, Indiana University and Chair of Assurance Advisory Committee
Recording of AdobeConnect webinar available here |
|---|
Update as of June 2015Based on community input on SP-800-63-2, AAC Chair Jacob Farmer sent these comments to NIST on May 22, 2015:
From: Farmer, Jacob Dear Colleagues, InCommon, a FICAM Approved Trust Framework Provider, is providing the following feedback in response to the call for comments on SP 800-63-2[1]. In surveying the Higher Education community, the primary concern articulated is that the structure of the NIST LoAs – and by extension, the InCommon profiles – is monolithic and does not map well to the business challenges commonly experienced in Higher Education. An approach that allows for the decoupling of identity proofing and credential quality would support more use cases and likely spur more adoption. On behalf of InCommon, we strongly encourage you to adjust the composition of the LoA in 800-63 to allow more flexibility in this regard. Sincerely, [1] http://csrc.nist.gov/groups/ST/eauthentication/sp800-63-2_call-comments.html |
Call for Community Input, April 2015
Colleagues,
NIST is requesting comments on Electronic Authentication Guideline SP 800-63-2 [1] by May 22, 2015 with the goal of gathering requirements for a substantial update of the spec. Please see the call for comments, and especially the "Note to Reviewers" here.
The InCommon Assurance Advisory Committee (AAC) will be preparing comments and would appreciate your input. Please share your thoughts on the InCommon Assurance email list at assurance@incommon.org. (If you are not that list, please add yourself by sending an email to sympa@incommon.org with this in the subject: subscribe assurance )
I hope that we can have a robust and productive conversation around our desired changes to this important document.
Please provide any feedback to the list by May 8, 2015 After that time, the AAC will work with InCommon to create a draft response, which we will share with the InCommon Assurance list for one final round of comments before the May 22, 2015 deadline.
Best regards,
Jacob Farmer, Indiana University
Chair, InCommon Assurance Advisory Committee
[1] http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
Monthly Assurance Call,
Wed., April 1, 2015 at noon ET.
Topic: Discussion on Password Reset
led by Eric Goodman
Identity and Access Management Architect
University of California Office of the President
Recording of AdobeConnect webinar available here View the slides in PDF format |
|---|
Eric will start with a short introduction laying out the issues, followed by open discussion.
During the discussion, we will consider questions such as:
- What is your password reset policy and what is working / not working about it ?
- Is it worth codifying password reset procedures?
- Any recommendations to modify the language in the Assurance Profiles for InCommon to consider?
More Info on the InCommon Assurance Program
For more info on InCommon Assurance, please see
March 2015 Assurance Call - Harvard and GW Discuss their Approaches to Bronze
Note: Recording of the March 4, 2015 Asurance webinar is now available here
Assurance webinar on Wednesday, March 4, 2015 at noon ET, highlighted assurance policies and practices of two campuses who have recently been awarded Common Bronze certification.
George Washington University and Harvard University shared their motivations and experiences in achieving Bronze. Among other topics, they presented differing approaches to password reset and to who on their campus is certified as Bronze.
Speakers:
Asif Hafiz, Director, Identity and Access Management, George Washington University
Scott Bradner, Senior Technical Consultant, Harvard University
Moderator:
Ann West, Associate Vice President for Trust and Identity, Internet2
Please mark your calendar for the April 2015 Assurance call
Wed., April 1, 2015 at noon ET.
This call will feature Eric Goodman, Identity and Access Management Architect, University of California Office of the President, leading a discussion on various approaches to password reset.
Interested in nixing NTLM V1? Check out the webinar Turning Off NTLMv1 or How to Approach Turning Off Legacy Technology (recorded Nov. 12, 2014)
Brian Arkills described how the University of Washington successfully turned off NTLMv1---what resources and strategies they employed to avoid undesirable impacts and rollback hell. Brian also noted how other IT service managers might successfully approach turning off (or discouraging) legacy technology using similar strategies.
The session was moderated by Nick Roy from Penn State, the editor of the first release of the InCommon Silver with Active Directory Domain Services Cookbook which was revised this year. The 2014 Cookbook, in the suggested configuration changes for IAP 4.2.3.6.2 Strong Protection of Authentication Secrets, recommends turning off NTLMv1.
Since early this year, we’ve had extensive discussions with the US Government about InCommon’s relationship to their program and next steps for federal agencies. Last month we had two face-to-face meetings alone.
Please join an open discussion to talk about where we are (soon to have 5 Bronze approved schools) and where we should be going.
The agenda will be open aside from an update on our work with the US Government. Bring your questions, suggestions, and curmudgeonly comments. All are welcome.
Wednesday November 5, 2014 @ Noon ET
+1-734-615-7474
+1-866-411-0013 (toll free US/Canada Only)
Access codes: 0113802#
UMBC Achieves Bronze Certification
The University of Maryland Baltimore County (UMBC) has become the third higher-education organization to become certified for the Bronze Identity Assurance Profile under the InCommon Assurance Program.
UMBC is also the second to use the representation of conformance method to qualify for Bronze certification. Using this simplified approach for Bronze requires no audit; the identity provider attests to compliance by signing the assurance addendum to the InCommon participation agreement.
“UMBC believes Identity management is absolutely essential to campus cyber security, and Bronze and Silver represent consensus best practice in identity management,” said Jack Suess, vice president of information technology and CIO at UMBC. “It is in our interest to utilize these best practices in designing and implementing our identity management processes.”
InCommon developed the assurance program as part of its mission to provide secure and privacy-preserving trust services for its participants. Enabling higher-value, higher-risk services requires increased trust by the organizations that run the identity and cloud services.
InCommon currently has two US-Government approved assurance profiles — Bronze and Silver. Bronze is comparable to the National Institute of Standards and Technology (NIST) Assurance 1 level, which has credential security adequate for basic Internet interactions. Silver, comparable to NIST’s level of Assurance 2, requires proof of identity and has security appropriate for higher-risk transactions.
More information about the assurance program is at assurance.incommon.org.
Successful Security Practices: Counting Failed Login Attempts
Wed., Sept. 3, 2014 at Noon ET
Looking to change your security practices by counting failed login attempts and locking accounts after the agreed-upon threshold has been reached? Interested in finding out how two institutions plan to do that? While monitoring unusual login activity is considered good security practice, counting failed logins is also part of the strategy for addressing the requirements of InCommon Bronze and Silver Identity Assurance Profiles.
Join us for an informal one-hour webinar presentation to hear how two campuses are approaching this issue and what they have under development.
Moderator: Jacob Farmer, University of Indiana
Speakers:
-Brett Bieber, University of Nebraska-Lincoln
-Benn Oshrin, University of California-Berkeley
The session is sponsored by Internet2 and the InCommon Assurance Program and is scheduled for Wednesday September 3, 2014 at Noon ET.
Connection Information:
Adobe Connect Information:
URL: http://internet2.adobeconnect.com/assuranceimplementerscall
If you have never attended a Connect Pro meeting before:
Test your connection: http://internet2.acrobat.com/common/help/en/support/meeting_test.htm
Get a quick overview: http://www.adobe.com/go/connectpro_overview
Adobe, the Adobe logo, Acrobat and Acrobat Connect are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.
eDial Dial-In Information:
+1-734-615-7474 (English I2, Please use if you do not pay for Long Distance)
+1-866-411-0013 (English I2, toll free US/Canada Only)
57474 (Internet2 employees with 5 digit dialing capabilities)
Access code: 0126800#
Emily Eisbruch, Technology Transfer Analyst
Internet2
office: +1-734-352-4996 | mobile +1-734-730-5749
InCommon is pleased to announce a new InCommon Assurance Alternative Means document:
Audience for this Document: Identity Provider Operators that have been certified by the InCommon Assurance Program or are wishing to apply for certification by January 15, 2015.
Alternative Means Statement: Identity Provider (IdP) Operators may continue to use SHA-1 to sign assertions through January 15, 2015 without compromise to their InCommon Assurance certification. IdP Operators that send assertions to a FICAM-compliant US Government Agency service provider that requests an InCommon Assurance Profile after December 31, 2013 must sign those assertions using any SHA-2 algorithm.
Alternative Means Expiration: January 15, 2015
Background
The Identity Assurance Assessment Framework and Identity Assurance Profiles define specific requirements that Identity Provider Operators must meet in order to be certified in the InCommon Assurance Program. In addition to the specific requirements, the documents allow for the use of approved additional methods, called alternative means, to satisfy the criteria.
To review the new Alternative Means document, link to the Alternative Means page. In addition, joining the Monthly Implementers Call at Noon Wed July 2 to learn more:
+1-734-615-7474
+1-866-411-0013 (toll free US/Canada Only)
Access codes: 0113802#
Building on the community-developed "InCommon Silver with Active Directory Domain Services Cookbook" originally released in 2012, the community has developed an updated version to address the IAP 1.2.
The purpose of the Cookbook is to help campuses use AD-DS to address the Silver requirements. For more information see, the Cookbook wiki page.
University of Nebraska Medical Center First to Self-Attest for Bronze Certification
The University of Nebraska Medical Center (UNMC) has become the second higher-education organization to become certified for the Bronze Identity Assurance Profile under the InCommon Assurance Program.
UNMC is also the first to use the representation of conformance method for qualifying for Bronze certification. Using this simplified approach for Bronze requires no audit; the identity provider attests to compliance by signing the assurance addendum to the InCommon participation agreement. You can see UNMC’s implementation example on the wiki (go to https://spaces.at.internet2.edu/x/gJmKAQ and look for “Bronze” under “implementation examples”).
“Since we were already aligned with HIPAA requirements, there were only a few things left that we had to do to qualify for Bronze,” said Sharon Welna, chief information security officer for the University of Nebraska Medical Center.
InCommon developed the assurance program as part of its mission to provide secure and privacy-preserving trust services for its participants. Enabling higher-value, higher-risk services requires increased trust by the organizations that run the identity and cloud services.
InCommon currently has two assurance profiles — Bronze and Silver. Bronze, comparable to the National Institute of Standards and Technology (NIST) Assurance 1 level, has credential security associated with basic Internet interactions. Silver, comparable to NIST’s level of Assurance 2, requires proof of identity and has security appropriate for higher-risk transactions.
Also in recent months, InCommon has made available an option (called alternative means) for achieving Silver certification that uses Safenet tokens and multifactor authentication. The assurance program allows for such approved alternative means for satisfying the criteria that an identity provider must meet to achieve certification. More information is available at https://www.incommon.org/assurance/alternativemeans.html
More information about the assurance program is at assurance.incommon.org.
InCommon is sponsoring a community reading of the Bronze InCommon Assurance Profile to aid in the understanding and intent of the requirements. The first discussion is scheduled for December 5th at 3:00 pm ET. Call information is:
+1-734-615-7474 (English I2, Please use if you do not pay for Long Distance),
+1-866-411-0013 (English I2, toll free US/Canada Only)
PIN: 0152556
For more information, see the InCommon Assurance Wiki.
The first InCommon Identity Assurance Profile Alternative Means has been published on the InCommon website.
This new Alternative Means document provides an additional way to meet the Silver requirements for 4.2.3 Credential Technology using a multifactor approach.
The Identity Assurance Assessment Framework and Identity Assurance Profiles define specific requirements that Identity Provider Operators must meet in order to be certified in the InCommon Assurance Program. In addition to the specific requirements, the documents allow for the use of equivalent or stronger methods, called alternative means, to satisfy the criteria. Examples include using other authentication technologies or encryption methodologies that are comparable or superior to the requirements stated in the specification documents.
To review the document, link to the Alternative Means page.