T&I Lightning Talks TechX 2017 - Internet2 · 2017-10-17 · • Created by EU to manage data...
Transcript of T&I Lightning Talks TechX 2017 - Internet2 · 2017-10-17 · • Created by EU to manage data...
T&ILightningTalksTechX2017
Talks• OfBetrAAIalthefederatedloginanditssalvation-
– RenatoFurter,SWITCH,• OTTO-
– MikeSchwartz,GLUU• Anyroam,eduroamintheUS-
– PhilippeHanset• Provisioning/DeprovisioningandaccesscontrolusingtheAdaptiveObjectFramework,
– JillGemmill,Clemson,• User-selectedauthNsubflowsinIDIC-
– AllanKim,UCSanDiego,• GDPRinanutshell–
– KenKlingenstein,Internet2
© 2017 SWITCH | 3
Renato [email protected] 2017 San Francisco 16th October 2017
and its salvationOf BetrAAIal the federated login
© 2017 SWITCH | 4
© 2017 SWITCH | 5 5
[email protected]@zivel
Kantara OTTOOpen Trust Taxonomy for federation Operators
Internet2 TechX Lightening Talk 2017 Michael Schwartz
Co-Chair, Kantara OTTO WGTweet comments @gluufederation
© Copyright 2017 Kantara Initiative, Inc.
What problem does OTTO Solve?
● Leverage existing trust model to support OAuth protocols● Reduce data duplication for inter-federation● Extend metadata search capabilities ● Define common data model for federation stuff● Standardize API’s for communicating with a federation ● Support SAML, OpenID, UMA… and _____ in the future● Enable simple, extensible, open and interoperable federation!
© Copyright 2017 Kantara Initiative, Inc.
We talked to a lot of federation experts...
● Leif Johansson federation security guru, “The biggest problem is not that we haven't deployed MDQ. The biggest problem is the aggregator-aggregator communication is too slow, too cumbersome, doesn't scale well. Need an asynchronous update mechanism... the problem of who talks to who, and how and what are the data types are incidental.”
● Ian Young co-author of MDQ “Exchanging metadata is analogous to DNS v. hosts files. But DNS is small--just an IP address--whereas the average SAML IDP metadata is 7k, and some may contain multiple certificates.”
● Roland Hedberg co-author OpenID Connect federation, “One of the unique approaches of this federation draft is the use of "metadata statements", which include information about a federation participant, and the services it offers.”
● Rhys Smith JISC Federation API developer “Automation is needed by a larger federation, and especially by participants who manage many entities.If a participant needs to update 300 certificates, it can be a challenge for both the member and the federation. An automated process to perform this task would be been more accurate and less expensive.”
© Copyright 2017 Kantara Initiative, Inc.
OTTO Federation Actors
© Copyright 2017 Kantara Initiative, Inc.
API Endpoints
● /configuration *● /federation **● /participant● /entity● /metadata
* https://example.com/path/.well-known/otto-configuration** The federation endpoint is where searching happens
© Copyright 2017 Kantara Initiative, Inc.
JSON-LD Vocabulary
© Copyright 2017 Kantara Initiative, Inc.
First implementations?
● First Responder? ERASMUS Pilot – DHS Identity S&T Group The emergency responder community is very decentralized, with thousands of federal, state, and local organizations. The OTTO federation API’s will be used to publish public keys for participants, and federation data standards for this next generation OpenID Connect federation.
● Banking? PSD2 Banking Federation New banking regulations in Europe are creating standard API’s to get your balance, or to wire money. The “FAPI” OpenID Connect profile has been adopted. There is a need to create a federation between banks and payment partners to publish keys and other metadata.
Join. Innovate. Trust.
Slides are available online: http://gluu.co/techx-2017
FlashNews….WPA2brokenKrackattacks.com
Turnoff802.11rasfirstmeasurePatchInfrastructure&DevicesASAPUnpatchedinfrastructureisopen
Unpatcheddeviceshavenoencryption
incommon.org/eduroam
Daily USA Users
cat.eduroam.org(freetool)• MSWindows10,8,7,Vista- ChromeOS- iOS-MACOS10.7+- Android4.3+- Linux
• LocksRADIUSCertificatetopreventMiTM• anonymous@domain(privacy+automation)• Inthecloud• Non-eduroamprofilesaswell• ReducesHelpDeskvisits
Non-eduguestsoneduroamSSIDANYROAMisacentralizedIDPforguestsOneregistration,goodforalongtimePhonenumberistheauthenticator
RoamingCommunities
Inter-RoamingCommunities
Passpoint/HotSpot2.0Wi-FiAccess-Pointadvertisescommunities
NegotiationbetweenAPandDevice
Amountofdomainsforeduroamisaproblem
RoutingforNationalRoamingOperator(NRO)isaproblem
Thankyou
Context JugglingHandling user-selected authentication flows in an IDIC universe
Infinite diversity, infinite combinations
▪ Basis of Vulcan philosophy (ST:TOS)
▪ When applied to authN / authZ, arguably illogical
The original problem
▪ Superset of the multi-context broker problem
▪ UC San Diego SSO originally ran on top of multiple authentication systems (MIT Kerberos, Active Directory, IBM RACF, etc.) for distinct user populations
▪ Slowly consolidating systems (AD) but still need the idea of authentication as student, faculty/staff, applicant, alum, none of the above
▪ Add MFA to the list and generate more permutations
▪ Don’t even ask about OIDC / social login or we’ll cry
The solution (?)
▪ Define multiple local authentication flows (student, faculty/staff, applicant, etc.)
▪ Map flows to local authnContextClassRefs (e.g. urn:mace:ucsd.edu:sso:ad)
▪ Campus SP operators can request one or more authnContextClassRefs, set up matching authN/authZ rules (sometimes forget the authZ part)
▪ Thankfully Shib 3 moved in this direction as well!
▪ Auth flows for legacy / federated SPs are managed centrally – in Shib 3, injected into the AuthenticationContext with an activeFlowResolver
Visualize this!
How to handle multiple available flows?
▪ Extend login.vm to provide menu of available flows
▪ User selection handled as a SWF event
▪ Event ID passed to existing AuthenticationContext.signaledFlowId
▪ Breaks out of current authentication (sub)flow, calls the user-selected flow
How does this work with MFA in general?
▪ Usable (but not optimal) when MFA is implemented as part of the authentication flow (e.g. classic Duo flow)
▪ In theory, might work better with MFA as a post-authentication intercept flow
▪ Work in progress: Headless MFA for ECP (push only via Duo API)
What about the Shib 3.3.x MFA flow?
▪ “We’re working on that … we’ll tell you about it next year!”
▪ Seriously though, can adapt the existing flow mapping and resolution into a custom nextFlowStrategyMap
Ferengi Rules of Authentication
▪ Once you leak your credentials, you never get them back
▪ Static metadata is eternal
▪ A context is a context is a context
GeneralDataProtectionRegulation(GDPR)
• Theproblemsetandresultingrequirements• TheScalableConsentwork• TheCARarchitecture– abrieflookunderthehoodandatthetwouserUX• Unexpectedoutcomes• CARManagementcapabilities– howitperforms• Demos
– InterceptUI– Self-serviceUI
• TheDukeexperience• Nextsteps
GDPR
• CreatedbyEUtomanagedataprotectionuniformlyacrosstheEU– IsbindingforeverymemberEUnation– Withmanyglobalimpacts
• Passedin2016,becomesoperationalMay25,2018.• Coversavastwaterfrontofissuesfromtrackingtoattributereleasetorighttobeforgottento
databreachesto...• Consistsofasetofrules(Articles)andthenexampleinterpretationsoftherulesinkeyareas
(Recitations)• Penaltiesofupto4%ofglobalrevenue• Identifiessixreasonsforattributerelease,includingcontract,consent,nationalsecurity,legal
actions,etc.– Specifieswhenconsentisnottobeused,whenitshouldbeused,thequalityoftheconsent,etc.
• Itaffectsmany,perhapsmost,USinstitutions.
GDPR(GeneralDataProtectionRegulation)
TERRITORIAL SCOPE
Non-EU Established OrganizationsOffer goods or services or engaging in monitoring within the EU.
PERSONAL DATA SENSITIVE DATA
ENFORCEMENT
LAWFUL PROCESSING
CONSENT
RESPONSIBILITIES OF DATA CONTROLLERS AND PROCESSORS
RIGHTS OF DATA SUBJECTS
Transparency
Purpose Specification and
Minimization
Access and Rectification
Automated Decision-Making
Right to Data Portability
Right to Erasure
DATA BREACH NOTIFICATION
Data Protection Officer (DPO)
Data Protection by
Design
INTERNATIONAL DATA TRANSFER
Data Impact Assessment
Record of Data Processing Activities
THE PLAYERSData
Subjects
Data Controllers
Data Processors
Supervisory Authorities
Identified IdentifiableRacial or
Ethnic Origin
Religious or Philosophical
Beliefs
Health
Trade Union Membership Sex
LifePolitical Opinions
Biometric Data
Genetic Data
“Right not to be subject to a decision based solely on automated processing, including profiling.”
A personal data breach is “a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or
otherwise processed.”
Collection and processing of personal data must be for “specified, explicit and legitimate purposes” – with consent of data subject or necessary for
Consent must be freely given, specific, informed, and unambiguous.
Model Contractual
Clauses
Privacy Shield
Binding Corporate
Rules (BCRs)
Adequate Level of Data Protection
If likely to result in a high privacy risk Æ notify data subjects
Notify supervisory authorities no later than 72 hours after discovery.
Up to 20 million euros or 4% of total annual worldwide turnover. Less serious violations: Up to 10 million euros or 2% of total annual worldwide turnover.
EU Establishments
Maintain a documented register of all activities
involving processing of EU personal data.
built in starting at the beginning of the
design process
Designate DPO if core activity involves regular
monitoring or processing large quantities of
personal data.. For high risk
situations
w w w . t e a c h p r i v a c y . c o m
GDPR
Workforce awareness training by Prof. Daniel J. Solove
• performance of a contract • compliance with a legal
obligation• to protect a person’s
vital interests• task in the public
interest• legitimate interests
Effective Judicial Remedies: compensation for material and non-material harm.
Fines
Security
Please ask permission to reuse or distribute
SoloveOne-Pager
DraftJISCServiceCategories
• PIIandSensitivePII– AlmosteverythingisPII– fromIPaddresstopersistentidentifiers
• Someidentifiersarenote.g.ePTID– SensitivePII
• Religious,ethnic,sexual,health,trade- unionmembership,etc.• Requiresspecialhandlingineverythingfromprotectiontopresentation
• Researchdatause• Righttobeforgotten
– Cloudbasedbackups• “Thiscallmayberecorded…”• Databreachnotifications
– 72hours• Dataprotectionofficerandindividualdataprotectiontraining
Somegnarlydetails
• GDPRisspecificonwhentonotuseandtouseconsent,andthenatureofconsentwhenused
• Formanyuniversitycoreservices,“legitimateinterests”maybeusedtoavoidtheuseofexplicitconsent
• Someinstitutionsfeelaconsistencyofexperienceandtransparencyareimportant• Aconsistencyofconsentexperiencesacrossdevicesandprovidersisdesirable• Thequalityoftheconsentisveryimportant
– Distinctexperience– Revocable– Informed– Finegrain– dataminimization– Handlesensitivevalues
• Usersseemtogetit
ConsentandGDPR
• GeantDataProtectionGroup-https://wiki.geant.org/display/gn42na3/Data+Protection+Regulation+working+group
• AACRAO- http://www.aacrao.org/resources/trending-topics/gdpr• Solove
– https://www.teachprivacy.com/wp-content/uploads/GDPR-Whiteboard-TeachPrivacy-Privacy-Awareness-Training-1.pdf?utm_source=Opt-in+Newsletter&utm_campaign=2b5854b8a2-09_06_Newsletter&utm_medium=email&utm_term=0_b681bb8bd9-2b5854b8a2-161068009
• Bird&Bird- https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird--bird--guide-to-the-general-data-protection-regulation.pdf?la=en
• AndrewCormackblogs–– e.g.https://community.jisc.ac.uk/blogs/regulatory-developments/article/gdpr-whats-your-
justification• CharacteristicsofGDPRcompliantconsent-
– https://spaces.internet2.edu/display/ScalableConsent/Scalable+Consent+Home?preview=/93653624/113249108/GDPR%20and%20CAR.pdf
Resources