[REVIEW-40] XCI-30 Provide InCommon Identity Provider for XSEDE Identities - Design/Security Review Created: 02/01/2017 Updated: 03/06/2017 Resolved: 03/06/2017
|Type:||Design and Security Review|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
Please focus on these questions:
and the following solution supported scenarios:
The following questions were raised during review:
Does XSEDE Duo exclude the use of SMS-based passcodes according to https://duo.com/blog/duo-aligns-with-nist-on-authentication-guidelines ?
In XCI-30 we're simply using whatever XSEDE Duo authentication methods are enabled by XSEDE. Brian will raise this Duo policy question with Sec Ops.
Can anyone who registers with XSEDE use this service, or are there additional restrictions? Does it require an active or past allocation? Does it require vetting by XSEDE staff?
Anyone with an XSEDE portal account can use it, similar to weblogin.xsede.org. There are no additional restrictions.
Are we going to add the "affiliation" attribute, and is so, how will it be populated?
No, we won't provide an affiliation attribute. Affiliation is optional according to https://refeds.org/category/research-and-scholarship, and since XSEDE is not authoritative for a person's institutional affiliation, it would not be correct for us to assert it.
Version 1.1 of https://software.xsede.org/svn/xci/activities/xci-030/trunk/Deliverables/XSEDE-InCommon-IdP-Design.pdf includes clarifications to address the above questions.
|Revised Review Materials:|
|Public Review Link:||https://software.xsede.org/jira/view/reviews/REVIEW-40|
|Review Material Developers:|| Jim Basney, firstname.lastname@example.org, Developer
Venkat Yekkirala, email@example.com, Developer
|Target Review Start Date:|
|Target Reviewer Feedback Due Date:|
|Target Written Feedback Assessment Due Date:|
|Target Review End Date:|
|Actual Review Start Date:|
|Actual Written Feedback Received Date:|
|Actual Review End Date:|
|Reviewer Feedback Due Soon Reminder Date:|
|Reviewer Feedback Due Today Reminder Date:|
|Developer Feedback Reminder Date:|
General design and security risk review for a new XSEDE InCommon Identity Provider
There are comments for REVIEW-40 that can be viewed with XSEDE authentication.