Assurance

[Tom Barton <>]

Beyond agreeing with Jim and appreciating his conciseness(!), I address 
his question by noting that the InCommon Assurance Advisory Committee 
will hold a BoF at 7:30am next Wednesday morning at the Global Summit on 
Baseline Practices. Purpose is to get feedback on elements proposed to 
be incorporated into something that would effectively replace the 
Participant Operating Practices doc.

There will be more opportunities to give feedback! This is just the next 
one, for those who may be available to participate.

Thanks,
Tom

--
Tom Barton
Senior Director for Architecture, Integration, and Security
Chief Information Security Officer
IT Services
University of Chicago
+1 773 834 1700



On 5/10/2016 8:41 AM, Basney, Jim wrote:
> Hi,
>
> > What does it mean for an IdP to "support MFA?" Is it the ability to issue
> > assertions in compliance with the MFA profile for at least one member of
> > its community?
> Yes.
>
> In XSEDE we would conclude that researchers on that campus can use MFA for
> federated authentication to XSEDE resources, so XSEDE doesn't need to
> issue separate MFA tokens to those researchers. For more info on campus
> researchers using XSEDE, see: https://www.xsede.org/campus-champions
>
> > Should the ability to issue assertions in compliance with the Base Level
> > profile also be included so that SPs that prefer MFA but will accept
> > anything else can do that with a single authentication request?  This
> > would imply that the ability to assert Base Level be required of all
> > members of the IdP's community.
> Yes.
>
> I thought the InCommon Assurance program already defined a base LOA to
> replace the POP. Any news on that?
>
> > Would a formal institutional declaration of compliance with the MFA
> > profile cause you to trust its MFA assertions more?
> Yes.
>
> > Could that declaration be as simple as a box in the Federation Manager
> > that would be checked by the site administrator
> Yes.
>
> Sincerely,
> Jim Basney
> XSEDE's InCommon Site Administrator