Kantara Initiative-IAF 1500-Federation Operator Guidelines-Draft-Recommendation.doc

 

 

Identity Assurance Framework:

Federation Operator Guidelines

 

 

Version: 1.0

Date: 2010-06-24

Editor:   Rich Furr

Contributors:

David Wasley, Myisha Frazier-McElveen, IAWG Members [Link will be provided for final publication]

 

Status: This document is a Kantara Initiative Draft Recommendation , created by the IA WG (see section 3.8 of the Kantara Initiative Operating Procedures)

Abstract:

The Kantara Initiative formed the Identity Assurance Working Group (IAWG) to foster adoption of consistently managed identity trust services.  The goal is to facilitate trusted identity federation and to promote compatibility and interoperability amongst identity service providers, with a specific focus on the level of trust, or assurance, associated with identity assertions. 

  Filename:

Kantara Initiative-IAF 1500-Federation Operator Guidelines-Draft-Recommendation.doc


Notice:

This document has been prepared by Participants of Kantara Initiative. Permission is hereby granted to use the document solely for the purpose of implementing the Specification. No rights are granted to prepare derivative works of this Specification. Entities seeking permission to reproduce portions of this document for other uses must contact Kantara Initiative to determine whether an appropriate license for such use is available. 

 

Implementation or use of certain elements of this document may require licenses under third party intellectual property rights, including without limitation, patent rights. The Participants of and any other contributors to the Specification are not and shall not be held responsible in any manner for identifying or failing to identify any or all such third  party intellectual property rights. This Specification is provided "AS IS," and no Participant in Kantara Initiative makes any warranty of any kind, expressed or implied, including any implied warranties of merchantability, non-infringement of third party intellectual property rights, and fitness for a particular purpose. Implementers of this Specification are advised to review Kantara Initiative‘s website (http://www.kantarainitiative.org/) for information concerning any Necessary Claims Disclosure Notices that have been received by the Kantara Initiative Board of Trustees.

 

Copyright: The content of this document is copyright of Kantara Initiative. © 2010 Kantara Initiative.


Contents

1 Introduction

2 Business Practice Documentation .........................................................................................................................

3 Application Approval .................................................................................................................................................

4 Federated Network of Trust ....................................................................................................................................

4.1 Identity Assurance Policy and Requirements ..........................................................................................

4.2 Policy Mapping .....................................................................................................................................................

4.3 Compliance and Audit Review ......................................................................................................................

4.4 Technical Interoperability and Testing ......................................................................................................

5 Negotiation of Agreements ......................................................................................................................................

6 Definitions .......................................................................................................................................................................

7 References .......................................................................................................................................................................

1          INTRODUCTION

The Kantara Initiative formed the Identity Assurance Working Group (IAWG) to foster adoption of consistently managed identity trust services.  The goal is to facilitate trusted identity federation and to promote compatibility and interoperability amongst identity service providers, with a specific focus on the level of trust, or assurance, associated with identity assertions. 

An identity federation represents a set of identity service providers (a.k.a. credential service providers) and relying parties (a.k.a. service providers) that agree to operate under compatible policies, standards, and technologies in order that identity providers can provide end-user identity information that can be trusted by relying parties.

Whereas a small identity federation might rely on bilateral agreements among members, a large and scalable federation must rely on an organization that can coordinate essential standards and provide essential services to all participants in the federation.  These guidelines refer to such an organization as the “Federation Operator.”

The Federation Operator (FO) supports and maintains the trust framework upon which federation participants rely.  Critical elements of the FO’s role include:

  • defining or identifying standards which must be met by all participants.  These include;
    • policy and operational standards for how identity credentials are issued and managed;
    • standards for the semantics and syntax of information to be exchanged;
    • technology standards for credentials and information exchange;
    • policy standards for how Subject privacy is preserved and how Subject identity information is protected and used;
  • providing identifying credentials for participating Federation members
  • certifying participants for compliance or compatibility with federation standards;
  • collecting and making available metadata describing participating entities including what certification(s) the FO has issued to each participant;

In addition to the fundamental role of a community trust anchor, the FO may also:

  • aid in problem resolution and/or technology compliance testing with participants;
  • enter into interfederation agreements with other FOs which might also require evaluation of comparative policies, translation of semantics or syntax, etc.;
  • enter into contracts for services available to community participants;
  • other activities or services in support of its community.

In order that the FO may perform all these roles effectively, it must be a legal entity with resources, staffing and governance that is able to enter into binding contracts and maintain liability for its actions.

These Guidelines are intended to help potential FOs develop a business model and operational plan so that interoperability among federations might be more readily achieved.  These Guidelines are a deliverable of the IAWG.

The principles may be applied regardless of the actual level(s) of assurance which are operational within the Federation. The Kantara Identity Assurance Working Group has developed the Identity Assurance Framework Assurance Levels and the Identity Assurance Framework Service Assessment Criteria which provide a baseline which Federation Operators should use in establishing their internal policies, processes and procedures.  Implementation of these policies and procedures should be assessed against the Liberty Alliance/Kantara Service Assessment criteria.

The Federation Operator should develop published Operating Policies, Processes and Guidelines which should be available to its members as guidance and requirements to be met to maintain membership or affiliation with the Federation.  This list includes the minimum essential documents believed needed to provide structure, governance and management for the Federation.  Additional documents may be included depending on the needs of the Federation and its members.

Each Federation Operator should:

  • Develop an Operating Policy which should
    • define the classes of Participants, e.g., Members, Certification Service Providers, Identity Providers, Service Providers, Subscribers, etc., which are eligible for membership  in the Federation;
    • include the operational rights and responsibilities of the Federation Participants;
    • define the governance principles and structure of the Federation;
    • define a process by which security incidents are handled within the Federation;
  • Establish the liability structure and provisions under which the Federation should operate. 
  • Develop a set of documents which specify requirements and/or provide guidance to the various Participants regarding the technical, procedural and process related requirements they must meet to become and remain participating entities in the Federation. These documents should include as a minimum:
  • Policy and procedural document(s) which define:
    • the processes used to verify the identities of Subscribers;
    • the method and phases of management of the life cycle of the identity credential and any tokens which may be used to host or protect such credentials;
    • the process to resolve any disputes among members of the Federation;
  • General security requirements around the sensitivity of relying party applications to include handling of personally identifiable information (PII);
  • Functional specifications defining the required functionality provided by the Federation and its members;
  • Technical specifications that clearly identify and cite:
    • any existing standards, defining the data and attributes included in any identity credentials and the structure of said credentials;
    • the structure and operating requirements of any system used to generate and manage the life cycle of identity credentials;
    • the structure and operations of any tokens used to host and protect identity credentials;
  • policies and procedures under which the compliance of Federation members with the policies, processes and specifications of the Federation is assessed and controlled;
  • Develop the process by which disputes among and/or between the Members should be resolved.
  • A set of legal agreements/contracts which bind the Participants (e.g. members) to the Federation Operating Policies and other governing and management documents.

3          Application Approval

The Federation should have established procedures in place to define and manage the application for membership process.

4.1              IDENTITY ASSURANCE POLICY AND REQUIREMENTS

A fundamental role of the federation is to articulate a framework and set of technical, operational, and policy requirements for its members that establish the basis for trust.  For CSPs, this should include identity proofing and credential issuance, credential strength and management, and secure storage and communication of authentication secrets and other sensitive information.  For all parties, it should ensure proper handling of sensitive information and respect for the of privacy of identity Subject information and activities.

4.2              Policy Mapping

Where participants already have established identity management policies, it might be necessary to create a mapping between those policies and the community standard policies.  The FO would be responsible for creating this mapping in cooperation with the participant.

If the FO wishes to be accredited by Kantara, its policies, processes, procedures and technical specifications must be mapped to the requirements defined in the Kantara Service Assessment Criteria for the requisite levels of assurance.  Where there may be variance, these must be resolved prior to Kantara accreditation of the Federation.

4.3              Compliance and Audit Review

The FO must undergo periodic audits against its stated policies and procedures in order to assure its participants that it is acting appropriately as the community trust anchor.

For Kantara accreditation, the Federation Operator must provide the Kantara Management Board an initial certified assessment of its compliance with the provisions of the Liberty Identify Assurance Framework when it applies for certification.  Certified federations should submit annual follow-up assessments to ensure continued compliance.

Federation Operators should require similar assessments for its participants with the exception of individual Subscribers. These assessments should be conducted against the policies, processes and specifications of the Federation or against the mapped policies as defined above.

4.4              Technical Interoperability and testing

All authentication mechanisms and protocols used within a federation should be tested to ensure they interoperate properly among members of the federation.   Where protocols that are used to convey identity information and assurance level are critical to proper operation of the federation, the FO should define how these protocols can be tested for interoperability, including tests for RP response to flawed CSP protocol implementation and vice versa.   If federation member metadata is distributed and installed dynamically, protocols for accomplishing such distribution and rejecting flawed metadata should be tested.

Agreements of Membership should be in place between the Federation and its members. To the maximum extent possible these should be standardized to ensure all participants have a standard set of rights and responsibilities.

6          Definitions

Term

Definition

Assessor/Auditor

Provides oversight / ensures compliance

Approved Encryption Method

An algorithm or technique that is either 1) specified in a globally recognized Government Agency Recommendation, or 2) adopted in a globally recognized government Agency Recommendation.

Assurance level

In the context of this document, describes the degree to which a relying party in an electronic business transaction can be confident that the identity information being presented by a CSP actually represents the entity named in it and that it is the represented entity who is actually engaging in the electronic transaction . .

Credential

A piece of information attesting to the integrity of certain stated facts [1] .

Credential Service Provider

An electronic trust service provider that operates one or more credential services. A CSP can include a Registration Authority.

Cross Certify

A process whereby the operating policies, procedures and technical specifications of multiple entities are reviewed by an independent third party with the goal of ensuring that they all are equivalent and that implementation across the boundaries of the entities results in the ability to trust identity credentials issued by the cross certified entities.

Federation

Any alliance or association of organizations which have freely joined together for a common purpose

Federation Operator

An organization that provides day-to-day operational support and governance for the federation. The Federation Operator is authorized to enter into binding contracts and agreements and to provide support for federation services. The Federation Operator is recognized by federation Participants as having certain roles and authority in creating a framework in which on-line identity assertions can be trusted and the privacy of identity information protected [2] .

Identity Management (IdM)

The combination of technical systems, rules, and procedures that define the owner-ship, utilization, and safeguarding of personal identity information. The primary goal of the IdM process is to assign attributes to a digital identity and to connect that identity to an individual incompliance with the Federation Operator’s framework.

Identity Provider (IdP)

An entity which provides user identities to the system. There can be various kinds of authentication methods supported by the IdP (e.g. username/password, X.509, OTP…); entities which are capable of creating identities and distributing them to other applications; an entity that manages identity information on behalf of Subscribers and provides assertions of Subscriber authentication to other providers 1

Participants

Otherwise independent entities that enter into a contract or binding agreement with the Federation Operator in order to receive services from the federation 2

Personally Identifiable Information

Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

Relying Parties

Entities that grant access to on-line services or data on the basis of the presentation of a valid credential 2

Resource Provider

An entity which provides systems, applications and infrastructures which leverage the identities provided by the Federation for purposes of authenticating Subscribers who request authorization to access services provided.  An entity that grants access to on-line services or data on the basis of the presentation of a valid credential.

Service Assessment Criteria

The Liberty Alliance/Kantara document that provides a framework of baseline policies, requirements (criteria) and rules against which identity trust services can be assessed and evaluated.

Service Provider (SP)

An entity to which a Subscriber authenticates using their  credential in order to gain access to a specific infrastructure or application 1

Subscriber

An individual who is the subject named or identified in a verified identity credential issued to that User [3]

7          References

[1] HSPD-12 Policy for a Common Identification Standard for Federal Employees and Contractors

http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html

[2] OMB M-04-04: E-Authentication Guidance for Federal Agencies

http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf

[3] OMB M-06-22: Cost Savings Achieved Through E-Government and Line of Business Initiatives

http://www.whitehouse.gov/omb/memoranda/fy2006/m06-22.pdf

[4] NIST Special Publication 800-63: Electronic Authentication Guideline

http://csrc.nist.gov/publications/nistpubs/800-63-1/sp800-63V1_0_2.pdf

[5] NIST Special Publication 800-53 : Recommended Security Controls for Federal Information Systems

and Organizations

http://csrc.nist.gov/publications/PubsSPs.html

[6] Federal Information Processing Standard 140-2 : Security Requirements for Cryptographic

Modules

http://csrc.nist.gov/publications/PubsFIPS.html

[7] Federal Information Processing Standard 199 : Standards for Security Categorization of Federal

Information and Information Systems

http://csrc.nist.gov/publications/PubsFIPS.html

[8] X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA)

http://www.cio.gov/fpkipa/documents/FBCA_CP_RFC3647.pdf

[9] X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework

http://www.cio.gov/fpkipa/documents/CommonPolicy.pdf

[10] Citizen and Commerce Class Common Certificate Policy

http://www.cio.gov/fpkipa/documents/citizen_commerce_cp.pdf

[11] Criteria and Methodology For Cross Certification With the U.S. Federal Bridge Certification Authority (FBCA) or Citizen and Commerce Class Common Certification Authority (C4CA)

http://www.cio.gov/fpkia/documents/crosscert_method_criteria.pdf

[12] Level of Assurance Authentication Context Profiles for SAML 2.0, DRAFT, 24 March 2009; http://www.oasis-open.org/committees/download.php/31807/sstc-saml-loa-authncontext-profile-draft-02-diff.pdf

[13] Kantara Initiative Identity Assurance Framework: Assurance Levels, V1.0

http://kantarainitiative.org/confluence/pages/viewpageattachments.action?pageId=41025670&highlight=Kantara+IAF-1200-Levels+of+Assurance.doc#Documents-attachment-Kantara+IAF-1200-Levels+of+Assurance.doc

[14] Kantara Initiative Identity Assurance Framework Service Assessment Criteria, V1.0

http://kantarainitiative.org/confluence/pages/viewpageattachments.action?pageId=41025670&highlight=Kantara+IAF-1200-Levels+of+Assurance.doc#Documents-attachment-Kantara+IAF-1200-Levels+of+Assurance.doc


[1] IDABC, eID Interoperability for PEGS, Common specifications for eID interoperability in the eGovernment context, December 2007

[2] InCommon-NIH Interfederation Memorandum of Agreement

[3] SAFE-BioPharma System Documentation Glossary