REVIEW-40: XCI-30 Provide InCommon Identity Provider for XSEDE Identities - Design/Security Review

Overview

General design and security risk review for a new XSEDE InCommon Identity Provider

Review Summary

The following questions were raised during review:

Does XSEDE Duo exclude the use of SMS-based passcodes according to https://duo.com/blog/duo-aligns-with-nist-on-authentication-guidelines ?

In XCI-30 we're simply using whatever XSEDE Duo authentication methods are enabled by XSEDE. Brian will raise this Duo policy question with Sec Ops.

Can anyone who registers with XSEDE use this service, or are there additional restrictions? Does it require an active or past allocation? Does it require vetting by XSEDE staff?

Anyone with an XSEDE portal account can use it, similar to weblogin.xsede.org. There are no additional restrictions.

Are we going to add the "affiliation" attribute, and is so, how will it be populated?

No, we won't provide an affiliation attribute. Affiliation is optional according to https://refeds.org/category/research-and-scholarship, and since XSEDE is not authoritative for a person's institutional affiliation, it would not be correct for us to assert it.

Version 1.1 of https://software.xsede.org/svn/xci/activities/xci-030/trunk/Deliverables/XSEDE-InCommon-IdP-Design.pdf includes clarifications to address the above questions.

Review Output Documents (Final)

Version 1.1 of:
https://software.xsede.org/svn/xci/activities/xci-030/trunk/Deliverables/XSEDE-InCommon-IdP-Design.pdf

Review Input Documents

https://software.xsede.org/svn/xci/activities/xci-030/trunk/Deliverables/XSEDE-InCommon-IdP-Design.pdf

Review Criteria

Please focus on these questions:

  1. Does the proposed design satisfy the functional user requirements?
  2. Are the protocols and interfaces selected appropriate and secure?
  3. Are the interactions with other XSEDE and non-XSEDE services secure?
  4. Are the services operated in a secure way and are the procedures appropriate to deal with planned and unplanned outages and unplanned incidents?

and the following solution supported scenarios:

  1. user accesses a non-XSEDE inCommon service using their XSEDE InCommon username and password
  2. user accesses a non-XSEDE inCommon service using an XSEDE InCommon user second factor

Schedule

Current Date: 2023-09-24
Current Status: Closed (Design and Security Review)
Target Date Actual Date Activity Milestone
  2017-02-02 Review launch date
2017-02-15 Written feedback due (Reviewers)
2017-02-17 2017-03-06 Written response date (Review Material Developers)
2017-02-20 2017-03-06 Final approval due and completion date (Reviewers)
Review Created: 2017-02-01 12:15 pm
Review Last Updated: 2017-03-06 7:49 am

 

Reviewers

If you are a reviewer, please login to sign or withdraw from this review.

Required

  • Victor Hazlewood
    SIGNED: 2017-03-03 15:56
  • John-Paul Navarro
    SIGNED: 2017-03-02 10:25

Optional

  • Maytal Dahan
  • Terrence Fleury
    SIGNED: 2017-02-09 10:18
  • Brian Hom
    SIGNED: 2017-02-15 19:11
  • Lee Liming
  • Jim Marsteller
  • Adam Slagell
  • Shava Smallen
    SIGNED: 2017-02-15 20:45
  • Susan Sons
  • Von Welch

Review Material Developers

Jim Basney
Venkatesh Yekkirala

Review Facilitator

John-Paul Navarro

 

Please post your comments using the "New topic" or "Post reply" buttons in the forum below.


National Science Foundation (NSF)

© ACCESS All Rights Reserved.

ACCESS is an advanced computing and data resource supported by the National Science Foundation and made possible through these lead institutions and their partners:
Carnegie Mellon University, University of Colorado Boulder, University of Illinois at Urbana-Champaign, and State University of New York at Buffalo .


Administrative Login