Internet2

close
Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Your organization not listed? Create a local account to use Internet2 services.

Create SiteID

Blogs

This Affects You! InCommon Federation Requirements Changing

Jul 20, 2017, by Thomas Barton
Tags: Frontpage News, InCommon Federation, Recent Posts, Trust & Identity

tennis court baseline I want to draw the attention of every InCommon participant to a set of expectations we all will be required to meet and the proposed processes for meeting them. The goal is to reduce the considerable variance of current participant operating practices and ensure that the InCommon Federation exhibits a baseline level of trustworthiness that enables its strategic value to Research and Education to continue to grow.

We’ll all be held accountable to meet published InCommon standards by our peer members and InCommon Operations acting on the community’s behalf. When, how, and held accountable for what, exactly?

What

The definitive document is Baseline Expectations, which is the result of a year-long iterative process of assessment and feedback, shepherded by InCommon’s Assurance Advisory Committee (AAC), that ended in December 2016. The culminating step in the process took the form of an open “consultation,” in which federation-involved people around the world were invited to give their feedback. So there is reason for confidence that this formulation is a reasonable expression of where the community believes that baseline to lie, at this time. The expectations themselves are short and expressed in simple, high-level language. Here they are:

Baseline Expectations of Identity Providers

  1. The IdP is operated with organizational-level authority
  2. The IdP is trusted enough to be used to access the organization’s own systems
  3. Generally-accepted security practices are applied to the IdP
  4. Federation metadata is accurate, complete, and includes site technical, admin, and security contacts, MDUI information, and privacy policy URL

Baseline Expectations of Service Providers

  1. Controls are in place to reasonably secure information and maintain user privacy
  2. Information received from IdPs is not shared with third parties without permission and is stored only when necessary for SP’s purpose
  3. Generally-accepted security practices are applied to the SP
  4. Federation metadata is accurate, complete, and includes site technical, admin, and security contacts, MDUI information, and privacy policy URL
  5. Unless governed by an applicable contract, attributes required to obtain service are appropriate and made known publicly

Baseline Expectations of Federation Operators

  1. Focus on trustworthiness of their Federation as a primary objective and be transparent about such efforts
  2. Generally-accepted security practices are applied to the Federation’s operational systems
  3. Good practices are followed to ensure accuracy and authenticity of metadata to enable secure and trustworthy federated transactions
  4. Frameworks that improve trustworthy use of Federation, such as entity categories, are implemented and adoption by Members is promoted
  5. Work with relevant Federation Operators to promote realization of baseline expectations

How

That’s what each InCommon member is expected to do, as a minimum. The AAC drafted processes by which InCommon and its members can hold each other accountable for meeting these expectations, and to establish rough consensus on how they should be observed in specific operational circumstances. These include:

  • A community consensus process for interpreting Baseline Expectations
  • A community-led dispute resolution process
  • Steps InCommon Operations takes to check federation metadata for compliance and alert members to needed corrections
  • A process to alter or remove a non-compliant entity’s metadata after all measures to correct it have failed

There is a consultation currently underway to gather community input to ensure that these processes will be as effective as possible. This consultation will remain open through August 18, 2017, and I urge representatives from all InCommon participants to review the Baseline Expectations and the proposed operational processes, and to add your suggestions and concerns to the consultation page: https://spaces.internet2.edu/x/uZ6TBg

There are two other useful resources with more information about both the Baseline Expectations and the proposed process for implementation and accountability

When

After the above consultation is complete and the processes are finalized, adoption and implementation has several key steps in which all members are involved. Here’s the anticipated time frame:

October 2017

Presentation/discussion at Internet2 Technology Exchange

Winter 2017-8

Broad communication and review of changes to InCommon Participation Agreement

Spring 2018

  • Outreach and help to members that need to correct federation contact information or metadata
  • Begin community consensus process for interpreting Baseline Expectations
  • Community-led dispute resolution process is operational

Summer 2018

Implement process to alter or remove a non-compliant entity’s metadata after all measures to correct it have failed

Many of us will only need to take simple steps such as ensuring that our federation contact information is complete and accurate and that the information we publish to the federation enables a good user experience, following well established and published InCommon standards. But the effect of us each keeping our part of the Federation in good working order will produce a reliable infrastructure for the multitude of activities depending on it, and that’s good for everyone.