European Workshop on Trust & Identity

In cooperation with GeantLogo184x80

EIW 2013 Wed Session 3B

Step up AuthN as a Service

  • Integration with SAML GW?
  • Security aspects
  • Metadata exchange


Convender: Pieter van der Meulen
Notetaker: John Chapman

See pdf for details:

http://www.surfnet.nl/Documents/rapport_Step-up_Authentication-as-a-Service_Architecture_and_Procedures_final.pdf(external link)

start with normal authN and depending on the service additional authN is requested

Surf has hub in middle (SURFConext) that allows them to do lots of things

An IdP could do this themselves, but as SURF is a full service federation and there is no standard way for adding this functionality SURF is looking at a service to handle the registration and step up AuthN service - SURFsure 2

not doing VPN access initially as there is no standard way of working with VPN gateways


NIST and STORK both have 4 LOA

SP requests authN level in authN Request to SC gateway that asks the IdP

So SURFsure is another proxy just like SURFConext acting as an SP IdP gateway

SPs will need to choose to connect to the SURFSure hub if they need to request LoA2

Slides show an architecture that SURF is intending to implement this year


In person registration is actually easier and more efficient as the sites that want to implement aren't allowed to check official registries

SURFnet has delegated registration to institutions so trusted parties at institutions are authorised to register individuals that require 2FA.

CERN requires LoA2 AuthN but LoA4 registration. This is pretty much what SURFnet does.

Step up authN might not be as easy in non-hub and spoke federations...

SURFnet management plan Q2 pilot Q3 production.