Post on 01-Jan-2016
description
e-Authentication in Higher Education e-Authentication in Higher Education
TheThe
ProjectProject
Presenters:Presenters:
Tim CameronTim CameronNational Council of Higher Education Loan ProgramsNational Council of Higher Education Loan Programs
Tim BornholtzTim BornholtzThe Bornholtz GroupThe Bornholtz Group
The Meteor StoryThe Meteor Story
What is Meteor?What is Meteor?
Web-based network for aggregated real-time Web-based network for aggregated real-time inquiry of financial aid informationinquiry of financial aid information
One stop, online web serviceOne stop, online web service Collaborative effort of the FFELP communityCollaborative effort of the FFELP community Freely available software and access to the Freely available software and access to the
networknetwork Customization options are availableCustomization options are available
In the beginning….In the beginning….
Pre-Meteor Environment (1980’s & 1990’s)Pre-Meteor Environment (1980’s & 1990’s)Lenders, Guarantors, Servicers, Schools and Lenders, Guarantors, Servicers, Schools and
others all offered independent web servicesothers all offered independent web servicesRequired multiple loginsRequired multiple loginsLow level of security: Low level of security:
Many required only SSN and DOB to access Many required only SSN and DOB to access financial aid award data!financial aid award data!
In the beginning….In the beginning….
Department of Education Modernization Department of Education Modernization PlansPlansPerformance Based Organization approved Performance Based Organization approved
with Higher Education Amendments in 1998with Higher Education Amendments in 1998Modernization BlueprintModernization Blueprint
Released September 30, 1999Released September 30, 1999 Second Edition - 2000Second Edition - 2000 Third Edition – 2001Third Edition – 2001 Fourth Edition – 2002 Fourth Edition – 2002
In the beginning….In the beginning….
FFELP Providers SolutionFFELP Providers SolutionSpring 2000: CEO meeting sponsored by Spring 2000: CEO meeting sponsored by
NCHELPNCHELPCritical decisions:Critical decisions:
Create an information network to provide Create an information network to provide aggregated financial aid information.aggregated financial aid information.
Foundation PrinciplesFoundation PrinciplesOpen SourceOpen SourceOpen CollaborationOpen CollaborationFreely AvailableFreely AvailableControlled Participation NetworkControlled Participation Network
Meteor TodayMeteor Today
14 Points of access to the Network14 Points of access to the Network20 Data providers20 Data providersSchool Authentication AgentsSchool Authentication AgentsSeveral custom implementationsSeveral custom implementations
Meteor Participant TypesMeteor Participant Types
Organizations that implement the Meteor Organizations that implement the Meteor softwaresoftwareAccess Providers (AP)Access Providers (AP)Authentication Agents (AA)Authentication Agents (AA)Data Providers (DP)Data Providers (DP) Index Providers (IP)Index Providers (IP)
The Meteor ProcessThe Meteor Process
One
Two
Access Provider
Data Providers
Student/Borrower or
Financial Aid Professional
orAccess Provider Representative
orLender Three
Index Provider
UsersFederated
AuthenticationProcess
Each participant is required to register, sign a Each participant is required to register, sign a participation agreement, and submit policies and participation agreement, and submit policies and procedures surrounding their authentication procedures surrounding their authentication process.process.
The Meteor Team Leads review the policies and The Meteor Team Leads review the policies and procedures and assign a Level of Assuranceprocedures and assign a Level of Assurance
Meteor uses a centralized LDAP server to contain:Meteor uses a centralized LDAP server to contain:• Public keys of all participantsPublic keys of all participants
• Network status information (active, pending, suspended)Network status information (active, pending, suspended)
• Contact InformationContact Information
The Meteor RegistryThe Meteor Registry
Meteor Authentication Meteor Authentication Objectives & ProcessObjectives & Process
Provide a flexible, easy to implement Provide a flexible, easy to implement authentication system.authentication system.
Ensure compliance with the Gramm-Leach-Ensure compliance with the Gramm-Leach-Bliley Act (GLBA), federal guidelines, and Bliley Act (GLBA), federal guidelines, and applicable state privacy lawsapplicable state privacy laws..
Assure data owners that only appropriately Assure data owners that only appropriately authenticated end users have access to data.authenticated end users have access to data.
Ensure compliance to participant organizations Ensure compliance to participant organizations internal security and privacy guidelines.internal security and privacy guidelines.
Meteor’s Authentication Meteor’s Authentication ObjectivesObjectives
The Meteor Authentication The Meteor Authentication ModelModel
Each Access Provider uses their existing Each Access Provider uses their existing authentication model (single sign-on)authentication model (single sign-on)
Meteor levels of assurance are assigned at Meteor levels of assurance are assigned at registrationregistration
Meteor Level 3 complies with the NIST Meteor Level 3 complies with the NIST Level 2Level 2
User is required to provide an ID and a User is required to provide an ID and a shared secret. shared secret.
Assignment and delivery of shared secret Assignment and delivery of shared secret must be secure.must be secure.
Assignment of shared secret is based on Assignment of shared secret is based on validated information.validated information.
Reasonable assurances that the storage of Reasonable assurances that the storage of the IDs and shared secrets are secure.the IDs and shared secrets are secure.
Meteor’s Authentication Meteor’s Authentication RequirementsRequirements
Access provider must ensure appropriate Access provider must ensure appropriate authentication for each end user and provide authentication for each end user and provide traceability back to that usertraceability back to that user
Access provider must provide authentication policy to Access provider must provide authentication policy to central authoritycentral authority
Access provider must provide central authority with Access provider must provide central authority with 30 day advance notice of changes to authentication 30 day advance notice of changes to authentication policypolicy
Access provider must agree to appropriate use of Access provider must agree to appropriate use of datadata
Meteor’s Authentication Meteor’s Authentication RequirementsRequirements
Meteor Technical Meteor Technical ArchitectureArchitecture
Meteor Technical Meteor Technical ArchitectureArchitecture
Apache SOAPApache SOAPSAML 1.0 – custom implementation for SAML 1.0 – custom implementation for
MeteorMeteorApache XML SecurityApache XML SecurityCentralized LDAP server with:Centralized LDAP server with:
Valid participant statusValid participant statusX.509 public keyX.509 public keyContact infoContact infoValid authentication methodsValid authentication methods
Role of end userRole of end userSocial Security NumberSocial Security NumberAuthentication Process IDAuthentication Process IDLevel of AssuranceLevel of AssuranceOpaque IDOpaque IDOrganization ID and TypeOrganization ID and Type
SAML Assertion AttributesSAML Assertion Attributes
Meteor Security - Meteor Security - AuthenticationAuthentication
Each Access Provider authenticates the Each Access Provider authenticates the users at their local site.users at their local site.
Local security policy is reviewed by Meteor Local security policy is reviewed by Meteor security teamsecurity team
Each provider (Access, Index, Data) is Each provider (Access, Index, Data) is authenticated with X.509 certificates authenticated with X.509 certificates stored in a secure centralized serverstored in a secure centralized server
Meteor SecurityMeteor Security
Access Control Access Control Coarse grained role-based access controlCoarse grained role-based access control FAA can view any SSNFAA can view any SSN Borrower can only see their SSNBorrower can only see their SSN CSR can only see SSNs where they are a partyCSR can only see SSNs where they are a party
Data confidentialityData confidentiality All production requests are encrypted with SSL/TLSAll production requests are encrypted with SSL/TLS Data not stored at Access ProviderData not stored at Access Provider Legal agreements in place to determine who can Legal agreements in place to determine who can
access the networkaccess the network
Meteor Security - Meteor Security - NonrepudiationNonrepudiation
SAML assertion has:SAML assertion has: Issue InstantIssue Instant Not Before timeNot Before time Not On Or After time – Default range is 4 hoursNot On Or After time – Default range is 4 hours Digitally signed with creator’s X.509 certDigitally signed with creator’s X.509 cert
Each request has:Each request has: Timestamp for issue instantTimestamp for issue instant Default validity is 15 secondsDefault validity is 15 seconds Digitally signed with Access Provider’s X.509 certDigitally signed with Access Provider’s X.509 cert
Meteor Logging and Meteor Logging and MonitoringMonitoring
Each provider keeps logs for a minimum of Each provider keeps logs for a minimum of one yearone year
Each SAML assertion has an opaque IDEach SAML assertion has an opaque IDSimilar to a useridSimilar to a useridCan be used to trace a request through every Can be used to trace a request through every
step of the processstep of the processHelp Desk monitors network for unusual Help Desk monitors network for unusual
traffictraffic
For More Information….For More Information…. Interactive Web Site Launched Interactive Web Site Launched
www.MeteorNetwork.org Audio presentationAudio presentation Interactive demonstration version of the Interactive demonstration version of the
softwaresoftwareLink to the Meteor project siteLink to the Meteor project site
Project DocumentationProject Documentationwww.NCHELP.org/Meteor.htm Implementation InformationImplementation InformationCurrent Provider ListCurrent Provider ListUser Guide and other documentationUser Guide and other documentation
Tim CameronTim CameronNCHELPNCHELPmeteor@nchelp.org
Tim BornholtzTim BornholtzThe Bornholtz GroupThe Bornholtz Grouptim@bornholtz.com
Contact InformationContact Information