Meeting the InCommon Assurance profile criteria using Active Directory

[David Walker <>]

Jeff,

From my reading, "IdP Lite" is a level of SAML 2.0 interoperability, not assurance.  The list I saw, though, didn't mention Microsoft; do you have the URL of what you saw?

Nevertheless, the Kantara link is a good one.  I'll change that question to say "Does Microsoft have a strategy for supporting compliance with the Federal Identity, Credential, and Access Management (FICAM) requirements at LoA-2, perhaps through Microsoft's partnership with the Kantara Initiative? If so, what is the time frame?"

David

On Mon, 2013-05-06 at 21:35 +0000, Capehart,Jeffrey D wrote:

On the question “Does Microsoft have a strategy for supporting compliance with the Federal Identity, Credential, and Access Management (FICAM) requirements at LoA-2? If so, what is the time frame?”

 

Note that Microsoft is a partner with Kantara, and that AD-FS was listed as the Microsoft technology adopted that passed “IdP Lite” level

 

Presumably they passed based on the Common Criteria EAL4 done for Windows Vista and Server 2008?

 

Perhaps the question to ask is how does AD-FS and AD-DS meet the SP 800-63 approved algorithm requirement for stored authentication secrets, and other aspects per our gaps table?

 

When I looked at the documents, it seemed as if there was a reliance on AD-DS by AD-FS.  And the Common Criteria specs excluded the one piece that would have tested 4.2.3.6 as “not applicable”.

 

Not to mention the many references to assumptions that were made for the EAL4 evaluation…

 

However, the main point is that Microsoft should already be familiar with the Kantara Initiative, so perhaps that is the way to go since many of the same requirements are present due to FICAM profile approval.

 

Jeff