General design and security risk review for a new XSEDE InCommon Identity Provider
The following questions were raised during review:
Does XSEDE Duo exclude the use of SMS-based passcodes according to https://duo.com/blog/duo-aligns-with-nist-on-authentication-guidelines ?
In XCI-30 we're simply using whatever XSEDE Duo authentication methods are enabled by XSEDE. Brian will raise this Duo policy question with Sec Ops.
Can anyone who registers with XSEDE use this service, or are there additional restrictions? Does it require an active or past allocation? Does it require vetting by XSEDE staff?
Anyone with an XSEDE portal account can use it, similar to weblogin.xsede.org. There are no additional restrictions.
Are we going to add the "affiliation" attribute, and is so, how will it be populated?
No, we won't provide an affiliation attribute. Affiliation is optional according to https://refeds.org/category/research-and-scholarship, and since XSEDE is not authoritative for a person's institutional affiliation, it would not be correct for us to assert it.
Version 1.1 of https://software.xsede.org/svn/xci/activities/xci-030/trunk/Deliverables/XSEDE-InCommon-IdP-Design.pdf includes clarifications to address the above questions.
Review Output Documents (Final)
Review Input Documents
Please focus on these questions:
- Does the proposed design satisfy the functional user requirements?
- Are the protocols and interfaces selected appropriate and secure?
- Are the interactions with other XSEDE and non-XSEDE services secure?
- Are the services operated in a secure way and are the procedures appropriate to deal with planned and unplanned outages and unplanned incidents?
and the following solution supported scenarios:
- user accesses a non-XSEDE inCommon service using their XSEDE InCommon username and password
- user accesses a non-XSEDE inCommon service using an XSEDE InCommon user second factor
ScheduleCurrent Date: 2019-08-22
Current Status: Closed (Design and Security Review)
|Target Date||Actual Date||Activity Milestone|
|2017-02-02||Review launch date|
|2017-02-15||Written feedback due (Reviewers)|
|2017-02-17||2017-03-06||Written response date (Review Material Developers)|
|2017-02-20||2017-03-06||Final approval due and completion date (Reviewers)|
Review Last Updated: 2017-03-06 7:49 am
If you are a reviewer, please login to sign or withdraw from this review.
- Victor Hazlewood
SIGNED: 2017-03-03 15:56
- John-Paul Navarro
SIGNED: 2017-03-02 10:25
- Maytal Dahan
- Terrence Fleury
SIGNED: 2017-02-09 10:18
- Brian Hom
SIGNED: 2017-02-15 19:11
- Lee Liming
- Jim Marsteller
- Adam Slagell
- Shava Smallen
SIGNED: 2017-02-15 20:45
- Susan Sons
- Von Welch
Review Material Developers