Internet2

InCommon is operated by Internet2

InCommon

About            Participants            Join InCommon

Assurance

Subscribe

Program Components

FAQ

Assurance for Identity Providers

Assurance for Service Providers

Assurance Fee Schedule

Assurance Advisory Committee

Assurance Glossary

InCommon Affiliates


News from the Assurance Program



Assurance Advisory Committee

General Questions

What is it?

Why is it needed?

What profiles does InCommon offer?

How are the InCommon profiles related to NIST 800-63?

What does the Assurance Program cost?

Which Service Providers are planning to require an Identity Assurance Profile?

Have any organizations been qualified as InCommon Bronze or Silver?

How can I stay up-to-date on Assurance Program developments?

Is there a glossary of terms available?

Audit

Do you have resources available for our auditor to use?

We don't have an internal auditor. What should we do?

If we change our infrastructure, will we need to do another audit?

Preparing for Certification

What does my organization need to send to InCommon to apply for certification?

How long will it take to receive an answer about our application for certification?

What does InCommon do after it has received my application?

How does my IdP metadata get updated with the Identity Assurance Qualifiers?

How long does certification last?

If the Silver requirements are a superset of Bronze requirements, does an IdPO need to apply for both, or does Silver cover Bronze too?

How do we express Assurance over the wire?

Profile-related Questions

If I have questions about practices, where can I go?

Do all of an organization's users need to be qualified at Silver for an IdP to qualify at Silver?

We have suggestions for the Identity Assurance Profiles or/and the Identity Assurance Assessment Framework. Where should we send them?

We have an alternate way to achieve one or more criteria in the profile. How do we propose this Alternative Means?

What happens when InCommon revises the profiles?

General Questions

What is it?

The Identity Assurance Program awards certifications to qualifying campuses and non-profit sponsored partners and research organizations that comply with the InCommon requirements for consistent electronic credential and identity management practices. These practices determine the confidence in the accuracy of a user’s electronic identity and help mitigate risk for the Service Provider.

Why is it needed?

  • Service Providers that offer higher risk services require a greater level of trust for Identity Provider authentication and identity management system. Establishing common Identity Provider Operator practices that address Service Provider risk requirements enables that increased trust.
  • Getting external approval of your authentication infrastructure and management of credentials can go a long way towards providing trust with stakeholders at your institution.
  • InCommon’s Framework and Profiles are written by Higher Education for Higher Education. The Profiles and have been are approved by the US Government as comparable to those outlined in NIST 800-63. Identity Provider Operators certified in the use of these Profiles are able to use campus credentials to access federal agency services.

What profiles does InCommon offer?

InCommon offers two sets of practices, or profiles:

  • Bronze, comparable to NIST Level of Assurance 1, has a security level that slightly exceeds the confidence associated with a common Internet identity. It verifies that the same person is accessing hte service, but not the identity of that person.
  • Silver, comparable to NIST Level of Assurance 2, has a security level appropriate forservices requiring identity, such as financial transactions. Because of the identity proofing and more strict technical requirements, Silver provides some confidence about the identity of the individual using the service.

How are the InCommon profiles related to NIST 800-63?

The InCommon Community developed these profiles for research and education to satisfy the Federal Identity Credential and Access Management requirements which references NIST 800-63 as the basis for their program. The Bronze and Silver Profiles were written for and by Higher Education implementers and are comparable to levels 1 and 2 outlined by NIST. InCommon’s profiles reference password techniques only, but allow approved alternative means to be used.

What does the Assurance Program cost?

  • There is no cost to Service Providers.
  • For Identity Providers, Bronze is free. Silver has an annual fee (in addition to the annual InCommon fee). Fees are tiered and there are discounts for the first three years the Assurance Program is open.

Which Service Providers are planning to require an Identity Assurance Profile?

Identity Assurance is useful across the academy, including research and administrative-related services:

  • National Student Clearinghouse for financial aid reporting and access for students and financial aid staff.
  • CILogon access to CI services such as Open Science Grid.
  • Research Virtual Organizations such as LIGO.
  • Federal grant submission programs.
  • Department of Education.

Have any organizations been qualified as InCommon Bronze or Silver?

Yes; see the official list.

How can I stay up-to-date on Assurance Program developments?

Join the assurance list. Send email to sympa@incommon.org with this in the subject: subscribe assurance.

Is there a glossary of terms available?

Yes. You can see a detailed glossary here on the Assurance web.

Audit

Do you have resources available for our auditor to use?

Yes. Please see the Auditor's Toolkit in the Assurance wiki.

We don't have an internal auditor. What should we do?

We will be publishing a list of third-party auditors. In the interim, please contact admin AT incommon.org for suggestions.

If we change our infrastructure, will we need to do another audit?

You may have to perform an audit only if the change is to your Silver-certified infrastructure and the AAC determines the changes are significant to warrant one. You will need to notify InCommon in advance of your change implementation as noted in the Identity Assurance Assessment Framework and Identity Assurance Profiles. If the new implementation is significantly different than the one certified for your application for certification, then yes, the AAC may require an incremental or possibly full audit. If you need to do a full audit and your changes are approved, InCommon will update your expiration date to be three years from the approval date.

Preparing for Certification

What does my organization need to send to InCommon to apply for certification?

For Bronze, you just need to complete and sign the Assurance Addendum [PDF]

For Silver, you will need to provide a summary of the audit report as out.lined in the Identity Assurance Assessment Framework, [PDF] and a signed Assurance Addendum [PDF] to the InCommon Participants Agreement. You can learn more on the Join page.

How long will it take to receive an answer about our application for certification?

The process takes roughly one month to complete. If it is expected to require more time, the InCommon staff will contact you.

What does InCommon do after it has received my application?

  1. InCommon’s Registrar and Assurance Manager verifies the completeness of your application depending on which profile(s) you are requesting and works with you to have everything in order. Once complete:
    1. For Bronze, InCpommon will countersign your Assurance Addendum
    2. For Silver, the Assurance Manager sends your application materials to the Assurance Advisory Committee (AAC) for review. The AAC may have questions during the review process and, if so, will ask the Assurance Manager to contact you. Assuming your application is approved, the AAC will send a recommendation of approval to Steering. Once approved, InCommon will countersign your Assurance Addendum.
  2. Your Identity Assurance Profile qualifiers will be queued to be added to the InCommon metadata. Your site admin will be sent a note before and after the qualifier(s) is added.
  3. Finally, the Assurance Manager will email you regarding your new certification.

How does my IdP metadata get updated with the Identity Assurance Qualifiers?

Once certified, InCommon will insert the appropriate Identity Assurance Qualifiers into your metadata for Service Providers to use to check your official status.

How long does certification last?

If your organization doesn't change any processes, technology, or operations that support your Assurance Certification, your campus is certified for three years. If you change anything relating to the IAP for which you applied, see the process outlined in the Identity Assurance Assessment Framework. When you are certified, InCommon will send you the date of expiration so you will have that for your records. We will also notify you and remind you to submit your documentation when your certification time period nears expiration.

If the Silver requirements are a superset of Bronze requirements, does an IdPO need to apply for both, or does Silver cover Bronze too?

An IdPO applying for Silver must also apply for Bronze. This can be done in the same submission to InCommon. This dual submission is necessary to cover the common case where an IdPO has a mix of users where some meet Silver requirements, some Bronze, and some neither. The IdPO needs to affirm that when the Bronze IAQ is put into an assertion for a user, the Bronze requirements have been met. For an IdPO that meets the Silver requirements, this should be relatively straightforward. Applying for Bronze is as easy as signing the Assurance Addendum, which you have to do anyway

How do we express Assurance over the wire?

Assurance is expressed using SAML2 AuthnContext, not attributes. For information on how to configure your system, see the Assurance Technical Implementation Considerations. You will also need to support the Federal SAML2 Profile.

Profile-related Questions

If I have questions about practices, where can I go?

  • Ask your peers for their suggestions on assurance at incommon.org email list. Using this approach, you will receive more-detailed information and can discuss pros and cons of the various methodologies.
  • Review the practices on the Community Contributions Wiki
  • Send a note to Ann West, the InCommon Assurance Manager (awest at internet2.edu) and she will consult with the Assurance Advisory Committee (AAC). While the AAC cannot provide official approval of your practice and reserves the right to review your application in total once submitted, the AAC is interested in helping IdP Operators (IdPOs) to be certified and will do what it can to assist.

Do all of an organization's users need to be qualified at Silver for an IdP to qualify at Silver?

No. In most IdP organizations there will be users who have been identity proofed and possess Silver credentials and others that have not. The Identity Provider must only assert Silver Qualifiers for those individuals who have gone through the related processes and possess the appropriate credentials.

We have suggestions for the Identity Assurance Profiles or/and the Identity Assurance Assessment Framework. Where should we send them?

You can forward them to the Assurance Manager (awest AT internet2.edu) for submission to the Assurance Advisory Committee. The (AAC) is responsible for alerting the InCommon Steering Committee of new requirements and maintaining errata.

We have an alternate way to achieve one or more criteria in the profile. How do we propose this Alternative Means?

Alternative Means is a term used when an IdP develops an method for satisfying the Assurance profile criteria in a way that is equivalent or stronger than that specified in the Assurance documents. The Alternative Means page provides details on how to submit your proposed method.

What happens when InCommon revises the profiles?

InCommon may revise the Framework and Profiles and will communicate with the Community about the changes and timeframe. Identity Providers will have at least six months to come to compliance with the new standard depending on the scope of the new requirements.

Copyright 2004-2013 InCommon LLC. All rights reserved. info@incommon.org. InCommon is operated by Internet2.