T&ILightningTalksTechX2017

Talks• OfBetrAAIalthefederatedloginanditssalvation-

– RenatoFurter,SWITCH,• OTTO-

– MikeSchwartz,GLUU• Anyroam,eduroamintheUS-

– PhilippeHanset• Provisioning/DeprovisioningandaccesscontrolusingtheAdaptiveObjectFramework,

– JillGemmill,Clemson,• User-selectedauthNsubflowsinIDIC-

– AllanKim,UCSanDiego,• GDPRinanutshell–

– KenKlingenstein,Internet2

© 2017 SWITCH | 3

Renato Furterrenato.furter@switch.chTechEx 2017 San Francisco 16th October 2017

and its salvationOf BetrAAIal the federated login

© 2017 SWITCH | 4

© 2017 SWITCH | 5 5

renato.furter@switch.ch@zivel

Kantara OTTOOpen Trust Taxonomy for federation Operators

Internet2 TechX Lightening Talk 2017 Michael Schwartz

Co-Chair, Kantara OTTO WGTweet comments @gluufederation

© Copyright 2017 Kantara Initiative, Inc.

What problem does OTTO Solve?

● Leverage existing trust model to support OAuth protocols● Reduce data duplication for inter-federation● Extend metadata search capabilities ● Define common data model for federation stuff● Standardize API’s for communicating with a federation ● Support SAML, OpenID, UMA… and _____ in the future● Enable simple, extensible, open and interoperable federation!

© Copyright 2017 Kantara Initiative, Inc.

We talked to a lot of federation experts...

● Leif Johansson federation security guru, “The biggest problem is not that we haven't deployed MDQ. The biggest problem is the aggregator-aggregator communication is too slow, too cumbersome, doesn't scale well. Need an asynchronous update mechanism... the problem of who talks to who, and how and what are the data types are incidental.”

● Ian Young co-author of MDQ “Exchanging metadata is analogous to DNS v. hosts files. But DNS is small--just an IP address--whereas the average SAML IDP metadata is 7k, and some may contain multiple certificates.”

● Roland Hedberg co-author OpenID Connect federation, “One of the unique approaches of this federation draft is the use of "metadata statements", which include information about a federation participant, and the services it offers.”

● Rhys Smith JISC Federation API developer “Automation is needed by a larger federation, and especially by participants who manage many entities.If a participant needs to update 300 certificates, it can be a challenge for both the member and the federation. An automated process to perform this task would be been more accurate and less expensive.”

© Copyright 2017 Kantara Initiative, Inc.

OTTO Federation Actors

© Copyright 2017 Kantara Initiative, Inc.

API Endpoints

● /configuration *● /federation **● /participant● /entity● /metadata

* https://example.com/path/.well-known/otto-configuration** The federation endpoint is where searching happens

© Copyright 2017 Kantara Initiative, Inc.

JSON-LD Vocabulary

© Copyright 2017 Kantara Initiative, Inc.

First implementations?

● First Responder? ERASMUS Pilot – DHS Identity S&T Group The emergency responder community is very decentralized, with thousands of federal, state, and local organizations. The OTTO federation API’s will be used to publish public keys for participants, and federation data standards for this next generation OpenID Connect federation.

● Banking? PSD2 Banking Federation New banking regulations in Europe are creating standard API’s to get your balance, or to wire money. The “FAPI” OpenID Connect profile has been adopted. There is a need to create a federation between banks and payment partners to publish keys and other metadata.

Join. Innovate. Trust.

Slides are available online: http://gluu.co/techx-2017

FlashNews….WPA2brokenKrackattacks.com

Turnoff802.11rasfirstmeasurePatchInfrastructure&DevicesASAPUnpatchedinfrastructureisopen

Unpatcheddeviceshavenoencryption

incommon.org/eduroam

Daily USA Users

cat.eduroam.org(freetool)• MSWindows10,8,7,Vista- ChromeOS- iOS-MACOS10.7+- Android4.3+- Linux

• LocksRADIUSCertificatetopreventMiTM• anonymous@domain(privacy+automation)• Inthecloud• Non-eduroamprofilesaswell• ReducesHelpDeskvisits

Betweenlocal,state,andfederalgovernment

Sameeaseofuseandsecurityaseduroam

Contactsupport@anyroam.netforinfo

Non-eduguestsoneduroamSSIDANYROAMisacentralizedIDPforguestsOneregistration,goodforalongtimePhonenumberistheauthenticator

RoamingCommunities

Inter-RoamingCommunities

Passpoint/HotSpot2.0Wi-FiAccess-Pointadvertisescommunities

NegotiationbetweenAPandDevice

Amountofdomainsforeduroamisaproblem

RoutingforNationalRoamingOperator(NRO)isaproblem

Thankyou

PhilippeHansetphanset@anyroam.netwww.anyroam.net

Context JugglingHandling user-selected authentication flows in an IDIC universe

Infinite diversity, infinite combinations

▪ Basis of Vulcan philosophy (ST:TOS)

▪ When applied to authN / authZ, arguably illogical

The original problem

▪ Superset of the multi-context broker problem

▪ UC San Diego SSO originally ran on top of multiple authentication systems (MIT Kerberos, Active Directory, IBM RACF, etc.) for distinct user populations

▪ Slowly consolidating systems (AD) but still need the idea of authentication as student, faculty/staff, applicant, alum, none of the above

▪ Add MFA to the list and generate more permutations

▪ Don’t even ask about OIDC / social login or we’ll cry

The solution (?)

▪ Define multiple local authentication flows (student, faculty/staff, applicant, etc.)

▪ Map flows to local authnContextClassRefs (e.g. urn:mace:ucsd.edu:sso:ad)

▪ Campus SP operators can request one or more authnContextClassRefs, set up matching authN/authZ rules (sometimes forget the authZ part)

▪ Thankfully Shib 3 moved in this direction as well!

▪ Auth flows for legacy / federated SPs are managed centrally – in Shib 3, injected into the AuthenticationContext with an activeFlowResolver

Visualize this!

How to handle multiple available flows?

▪ Extend login.vm to provide menu of available flows

▪ User selection handled as a SWF event

▪ Event ID passed to existing AuthenticationContext.signaledFlowId

▪ Breaks out of current authentication (sub)flow, calls the user-selected flow

How does this work with MFA in general?

▪ Usable (but not optimal) when MFA is implemented as part of the authentication flow (e.g. classic Duo flow)

▪ In theory, might work better with MFA as a post-authentication intercept flow

▪ Work in progress: Headless MFA for ECP (push only via Duo API)

What about the Shib 3.3.x MFA flow?

▪ “We’re working on that … we’ll tell you about it next year!”

▪ Seriously though, can adapt the existing flow mapping and resolution into a custom nextFlowStrategyMap

Ferengi Rules of Authentication

▪ Once you leak your credentials, you never get them back

▪ Static metadata is eternal

▪ A context is a context is a context

GeneralDataProtectionRegulation(GDPR)

• Theproblemsetandresultingrequirements• TheScalableConsentwork• TheCARarchitecture– abrieflookunderthehoodandatthetwouserUX• Unexpectedoutcomes• CARManagementcapabilities– howitperforms• Demos

– InterceptUI– Self-serviceUI

• TheDukeexperience• Nextsteps

GDPR

• CreatedbyEUtomanagedataprotectionuniformlyacrosstheEU– IsbindingforeverymemberEUnation– Withmanyglobalimpacts

• Passedin2016,becomesoperationalMay25,2018.• Coversavastwaterfrontofissuesfromtrackingtoattributereleasetorighttobeforgottento

databreachesto...• Consistsofasetofrules(Articles)andthenexampleinterpretationsoftherulesinkeyareas

(Recitations)• Penaltiesofupto4%ofglobalrevenue• Identifiessixreasonsforattributerelease,includingcontract,consent,nationalsecurity,legal

actions,etc.– Specifieswhenconsentisnottobeused,whenitshouldbeused,thequalityoftheconsent,etc.

• Itaffectsmany,perhapsmost,USinstitutions.

GDPR(GeneralDataProtectionRegulation)

TERRITORIAL SCOPE

Non-EU Established OrganizationsOffer goods or services or engaging in monitoring within the EU.

PERSONAL DATA SENSITIVE DATA

ENFORCEMENT

LAWFUL PROCESSING

CONSENT

RESPONSIBILITIES OF DATA CONTROLLERS AND PROCESSORS

RIGHTS OF DATA SUBJECTS

Transparency

Purpose Specification and

Minimization

Access and Rectification

Automated Decision-Making

Right to Data Portability

Right to Erasure

DATA BREACH NOTIFICATION

Data Protection Officer (DPO)

Data Protection by

Design

INTERNATIONAL DATA TRANSFER

Data Impact Assessment

Record of Data Processing Activities

THE PLAYERSData

Subjects

Data Controllers

Data Processors

Supervisory Authorities

Identified IdentifiableRacial or

Ethnic Origin

Religious or Philosophical

Beliefs

Health

Trade Union Membership Sex

LifePolitical Opinions

Biometric Data

Genetic Data

“Right not to be subject to a decision based solely on automated processing, including profiling.”

A personal data breach is “a breach of security leading to the accidental or

unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or

otherwise processed.”

Collection and processing of personal data must be for “specified, explicit and legitimate purposes” – with consent of data subject or necessary for

Consent must be freely given, specific, informed, and unambiguous.

Model Contractual

Clauses

Privacy Shield

Binding Corporate

Rules (BCRs)

Adequate Level of Data Protection

If likely to result in a high privacy risk Æ notify data subjects

Notify supervisory authorities no later than 72 hours after discovery.

Up to 20 million euros or 4% of total annual worldwide turnover. Less serious violations: Up to 10 million euros or 2% of total annual worldwide turnover.

EU Establishments

Maintain a documented register of all activities

involving processing of EU personal data.

built in starting at the beginning of the

design process

Designate DPO if core activity involves regular

monitoring or processing large quantities of

personal data.. For high risk

situations

w w w . t e a c h p r i v a c y . c o m

GDPR

Workforce awareness training by Prof. Daniel J. Solove

• performance of a contract • compliance with a legal

obligation• to protect a person’s

vital interests• task in the public

interest• legitimate interests

Effective Judicial Remedies: compensation for material and non-material harm.

Fines

Security

Please ask permission to reuse or distribute

SoloveOne-Pager

DraftJISCServiceCategories

• PIIandSensitivePII– AlmosteverythingisPII– fromIPaddresstopersistentidentifiers

• Someidentifiersarenote.g.ePTID– SensitivePII

• Religious,ethnic,sexual,health,trade- unionmembership,etc.• Requiresspecialhandlingineverythingfromprotectiontopresentation

• Researchdatause• Righttobeforgotten

– Cloudbasedbackups• “Thiscallmayberecorded…”• Databreachnotifications

– 72hours• Dataprotectionofficerandindividualdataprotectiontraining

Somegnarlydetails

• GDPRisspecificonwhentonotuseandtouseconsent,andthenatureofconsentwhenused

• Formanyuniversitycoreservices,“legitimateinterests”maybeusedtoavoidtheuseofexplicitconsent

• Someinstitutionsfeelaconsistencyofexperienceandtransparencyareimportant• Aconsistencyofconsentexperiencesacrossdevicesandprovidersisdesirable• Thequalityoftheconsentisveryimportant

– Distinctexperience– Revocable– Informed– Finegrain– dataminimization– Handlesensitivevalues

• Usersseemtogetit

ConsentandGDPR

• GeantDataProtectionGroup-https://wiki.geant.org/display/gn42na3/Data+Protection+Regulation+working+group

• AACRAO- http://www.aacrao.org/resources/trending-topics/gdpr• Solove

– https://www.teachprivacy.com/wp-content/uploads/GDPR-Whiteboard-TeachPrivacy-Privacy-Awareness-Training-1.pdf?utm_source=Opt-in+Newsletter&utm_campaign=2b5854b8a2-09_06_Newsletter&utm_medium=email&utm_term=0_b681bb8bd9-2b5854b8a2-161068009

• Bird&Bird- https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird--bird--guide-to-the-general-data-protection-regulation.pdf?la=en

• AndrewCormackblogs–– e.g.https://community.jisc.ac.uk/blogs/regulatory-developments/article/gdpr-whats-your-

justification• CharacteristicsofGDPRcompliantconsent-

– https://spaces.internet2.edu/display/ScalableConsent/Scalable+Consent+Home?preview=/93653624/113249108/GDPR%20and%20CAR.pdf

Resources