e-Authentication & AuthorizationPresentation to the EA2 Task Force

March 6, 2007

What is Meteor?What is Meteor?

Web-based universal access channel for Web-based universal access channel for real-time inquiry of financial aid real-time inquiry of financial aid informationinformation

Aggregated information to assist Aggregated information to assist Financial Aid Professionals, students and Financial Aid Professionals, students and borrowers with debt counseling and the borrowers with debt counseling and the aid process in generalaid process in general

Collaborative effort of leading FFELP Collaborative effort of leading FFELP providersproviders

Freely available software and access to Freely available software and access to the networkthe network

The Meteor Project The Meteor Project ComponentsComponents

The Meteor SoftwareThe Meteor Software The Meteor NetworkThe Meteor Network The Meteor FederationThe Meteor Federation

Meteor Software Meteor Software FeaturesFeatures

Information from multiple data Information from multiple data providers is aggregated in real-time providers is aggregated in real-time to assist the FAP and the borrower to assist the FAP and the borrower with the financial aid process, with the financial aid process, repayment and default aversion.repayment and default aversion.

Meteor is a collaborative effort Meteor is a collaborative effort utilizing leading-edge technology utilizing leading-edge technology and access is provided at no and access is provided at no charge. charge.

Meteor Software Meteor Software FeaturesFeatures

Access timely, student-specific Access timely, student-specific financial aid information from financial aid information from multiple sources multiple sources

One-stop, common, online One-stop, common, online customer service resource customer service resource

Types of Data AvailableTypes of Data Available

FFELPFFELP Alternative/Private LoansAlternative/Private Loans State Grants & Scholarships (Planned)State Grants & Scholarships (Planned) Perkins (In development)Perkins (In development) Direct Loans (Planned)Direct Loans (Planned) Pell Grants (Planned)Pell Grants (Planned)

The Meteor NetworkThe Meteor Network

MeteorMeteor Federated Model: Transitive TrustFederated Model: Transitive Trust Multiple points of accessMultiple points of access

User RolesUser Roles SchoolSchool Student/BorrowerStudent/Borrower Customer Service RepresentativesCustomer Service Representatives LendersLenders

Use of data approved by Use of data approved by FSAFSA

FSA approval for use of real-time FSA approval for use of real-time datadata Collaborative effort to bring about Collaborative effort to bring about

change to the requirements for schools change to the requirements for schools to solely rely on NSLDSto solely rely on NSLDS

Allows schools to resolve discrepancies Allows schools to resolve discrepancies by using real time data that comes by using real time data that comes directly from the loan holders databasesdirectly from the loan holders databases

One

Two

Access Provider

Data Providers

Student/Borrower or

Financial Aid Professional

orAccess Provider Representative

orLender Three

Index Provider

UsersFederated

AuthenticationProcess

The Meteor ProcessThe Meteor Process

E-AuthenticationE-Authentication

The MAT worked with the Shibboleth The MAT worked with the Shibboleth project, a project of Internet2/Mace, in project, a project of Internet2/Mace, in developing architectures, policy structures, developing architectures, policy structures, practical technologies, and an open source practical technologies, and an open source implementation to support inter-agency implementation to support inter-agency sharing of web resources. sharing of web resources.

Shibboleth project participants include Shibboleth project participants include Brown University, Ohio State, Penn State Brown University, Ohio State, Penn State and many other colleges and universitiesand many other colleges and universities..

BuildingBuilding Trust and Trust and IntegrityIntegrity

The Meteor Advisory Team sought input The Meteor Advisory Team sought input and expertise regarding privacy and and expertise regarding privacy and security from the sponsoring security from the sponsoring organizations and the NCHELP Legal organizations and the NCHELP Legal Committee.Committee.

Analysis was provided in relation to Analysis was provided in relation to Gramm-Leach-Bliley Act (GLBA), and Gramm-Leach-Bliley Act (GLBA), and individual state privacy laws.individual state privacy laws.

The analysis revealed that Meteor The analysis revealed that Meteor complied with both GLB and known state complied with both GLB and known state privacy provisions.privacy provisions.

BuildingBuilding Trust and Trust and IntegrityIntegrity

Federated model of authenticationFederated model of authentication Meteor Participant CertificationMeteor Participant Certification Conditions of UseConditions of Use Authentication protocol reviewAuthentication protocol review Use of Data Exception PolicyUse of Data Exception Policy

Reliability and SecurityReliability and Security

Data is sent directly from the data Data is sent directly from the data provider’s system and is not altered in any provider’s system and is not altered in any way within Meteorway within Meteor

All data is electronically transmitted All data is electronically transmitted securely using SSL encryptionsecurely using SSL encryption

Independent Audit showed no serious Independent Audit showed no serious vulnerabilitiesvulnerabilities

Provide a flexible, easy to Provide a flexible, easy to implement authentication system implement authentication system that meets the needs of the provider that meets the needs of the provider organizations and their customers.organizations and their customers.

Ensure compliance with the Ensure compliance with the Gramm-Leach-Bliley Act (GLBA), Gramm-Leach-Bliley Act (GLBA), federal guidelines, and applicable federal guidelines, and applicable state privacy lawsstate privacy laws..

Meteor’s Authentication Meteor’s Authentication ObjectivesObjectives

Assure data owners that only Assure data owners that only appropriately authenticated end users appropriately authenticated end users have access to data.have access to data.

Ensure compliance to participant Ensure compliance to participant organizations internal security and organizations internal security and privacy guidelines.privacy guidelines.

Meteor’s Authentication Meteor’s Authentication ObjectivesObjectives

AuthenticationAuthentication

No central authentication processNo central authentication process Utilizes transitive trust modelUtilizes transitive trust model Each Access Provider uses their existing Each Access Provider uses their existing

authentication model (single sign-on)authentication model (single sign-on) Level of trust assigned at registrationLevel of trust assigned at registration

The Meteor The Meteor Authentication ModelAuthentication Model

Each Access Provider uses their existing Each Access Provider uses their existing authentication model (single sign-on)authentication model (single sign-on)

Meteor levels of assurance are assigned at Meteor levels of assurance are assigned at registrationregistration Level 0 (Unique ID)Level 0 (Unique ID) Level 1 (Unique ID & 1 piece of validated public Level 1 (Unique ID & 1 piece of validated public

data)data) Level 2 (Unique ID & 2 pieces of validated public Level 2 (Unique ID & 2 pieces of validated public

data)data) Level 3 (Unique/User ID & shared secret)Level 3 (Unique/User ID & shared secret)

Meteor Level 3 complies with the NIST Level Meteor Level 3 complies with the NIST Level 22

User is required to provide an ID and a User is required to provide an ID and a shared secret. shared secret.

Assignment and delivery of shared Assignment and delivery of shared secret must be secure.secret must be secure.

Assignment of shared secret is based Assignment of shared secret is based on validated information.on validated information.

Reasonable assurances that the storage Reasonable assurances that the storage of the IDs and shared secrets are of the IDs and shared secrets are secure.secure.

Meteor’s Authentication Meteor’s Authentication RequirementsRequirements

Access provider must ensure appropriate Access provider must ensure appropriate authentication for each end user and provide authentication for each end user and provide traceability back to that usertraceability back to that user

Access provider must provide authentication Access provider must provide authentication policy to central authoritypolicy to central authority

Access provider must provide central Access provider must provide central authority with 30 day advance notice of authority with 30 day advance notice of changes to authentication policychanges to authentication policy

Access provider must agree to appropriate use Access provider must agree to appropriate use of dataof data

E-Authentication PoliciesE-Authentication Policies

End user authenticates at access End user authenticates at access provider site or through a Meteor provider site or through a Meteor approved third party Authentication approved third party Authentication AgentAgent

Access provider creates Access provider creates authentication assertion (SAML)authentication assertion (SAML)

Access provider signs authentication Access provider signs authentication assertion with digital certificateassertion with digital certificate

Control is passed to Meteor softwareControl is passed to Meteor software

The Meteor Authentication The Meteor Authentication ProcessProcess

Index and data providers verify assertion Index and data providers verify assertion using the access provider’s public key stored using the access provider’s public key stored in the registry.in the registry.

End user is provided access to the End user is provided access to the aggregated dataaggregated data

The Meteor Authentication The Meteor Authentication ProcessProcess

Role of end userRole of end user Social Security NumberSocial Security Number Authentication Process IDAuthentication Process ID Level of AssuranceLevel of Assurance Opaque IDOpaque ID School OPEID (Summer 2007)School OPEID (Summer 2007)

SAML Assertion AttributesSAML Assertion Attributes

Current StatusCurrent Status

1 Index Provider1 Index Provider 20 Data Providers20 Data Providers 15 Access Providers15 Access Providers 1 Authentication Agent1 Authentication Agent

Meteor Usage Meteor Usage Meteor Usage Meteor Usage

FAA StatisticsFAA Statistics Usage has been increasing since FSA Usage has been increasing since FSA

announcement about use of real time dataannouncement about use of real time data Borrower StatisticsBorrower Statistics Meteor…not just an inquiry networkMeteor…not just an inquiry network

In addition to providing access to and In addition to providing access to and aggregation of financial aid award information, aggregation of financial aid award information, the Meteor software can also be used by the Meteor software can also be used by organizations to enhance their current services. organizations to enhance their current services.

MYF integrationMYF integration Internal usage of the software at member Internal usage of the software at member

organizationsorganizations

Authentication and Authentication and AuthorizationAuthorization

Authentication is the process of Authentication is the process of determining the identity of a user determining the identity of a user that is attempting to access a system.that is attempting to access a system.

Authorization is the process of Authorization is the process of determining what types of activities determining what types of activities are permitted. are permitted.

Authentication and Authentication and AuthorizationAuthorization

Once you have authenticated a user, Once you have authenticated a user, they may be authorized different they may be authorized different types of access or activity.types of access or activity. Meteor RolesMeteor Roles

Financial Aid ProfessionalFinancial Aid Professional Student/Borrower Student/Borrower Customer ServiceCustomer Service LenderLender

Authentication Process:Authentication Process:

Student logs into Access Provider site (i.e. Student logs into Access Provider site (i.e. school, lender, servicer or guarantor)school, lender, servicer or guarantor)

Access Provider authenticates studentAccess Provider authenticates student Access Provider messages the Meteor Registry Access Provider messages the Meteor Registry

for validation, attaching the security assertionfor validation, attaching the security assertion Registry validates the provider and sends the Registry validates the provider and sends the

request to the Meteor Index for processing.request to the Meteor Index for processing. The index identifies potential data providers who The index identifies potential data providers who

receive a message including the security receive a message including the security assertionassertion

Data providers return data to the access Data providers return data to the access provider provided that the applicable provider provided that the applicable authentication level meets their requirements.authentication level meets their requirements.

What’s Next?What’s Next?

Continue to monitor the development of XML, Continue to monitor the development of XML, transport and authentication standardstransport and authentication standards

Review of multi-layer authenticationReview of multi-layer authentication Clock synchronization across the network for Clock synchronization across the network for

timing out of assertions for additional securitytiming out of assertions for additional security Alignment with the NIST levels of assuranceAlignment with the NIST levels of assurance

Contact InformationContact Information

Tim CameronTim CameronMeteor Project ManagerMeteor Project Manager

NCHELPNCHELP703-969-8565703-969-8565

meteor@nchelp.orgmeteor@nchelp.org