Assurance FAQ
General Questions
What is it?
Why is it needed?
What profiles does InCommon offer?
How are the InCommon profiles related to NIST 800-63?
What does the Assurance Program cost?
Which Service Providers are planning to require an Identity Assurance Profile?
How can I stay up-to-date on Assurance Program developments?
Is there a glossary of terms available?
Certification
What does my organization need to send to InCommon to apply for certification?
What does InCommon do after it has received my application?
If I have questions about practices, where can I go?
Do you have resources available for our auditor to use?
We don't have an internal auditor. What should we do?
How long will it take to receive an answer about our application for certification?
How long does certification last?
If we change our infrastructure, will we need to do another audit?
How do we express Assurance over the wire?
How does my IdP metadata get updated with the Identity Assurance Qualifiers?
Profile-related Questions
If my organization is certified for Silver, can it assert Bronze?
If the Service Provider is asking for Bronze, can I assert Silver and get access?
Have any organizations been qualified as InCommon Bronze or Silver?
Do all of an organization's users need to be qualified at Silver for an IdP to qualify at Silver?
We have suggestions for the Identity Assurance Profiles or/and the Identity Assurance Assessment Framework. Where should we send them?
What happens when InCommon revises the profiles?
General Questions
What is it?
The Identity Assurance Program awards certifications to qualifying campuses and non-profit sponsored partners and research organizations that support InCommon requirements for consistent electronic credential and identity management practices. These practices determine the confidence in the accuracy of a user’s electronic identity and help mitigate risk for the Service Provider.
Why is it needed?
- Service Providers that offer higher risk services require a greater level of trust for Identity Provider authentication and identity management system.
- Establishing common Identity Provider OperatorThe organization operating an IdP. practices that address Service Provider risk requirements enables that increased trust.
What profiles does InCommon offer?
InCommon will initially offer two sets of practices, or profiles:
- Bronze, equivalent to NIST Level of Assurance 1, has a security level that slightly exceeds the confidence associated with a common Internet identity.
- Silver, equivalent to NIST Level of Assurance 2, has a security level appropriate for financial transactions.
How are the InCommon profiles related to NIST 800-63?
The InCommon Community developed these profiles for research and education to satisfy the Federal Identity Credential and Access Management requirements which references 800-63 as the basis for their program.
What does the Assurance Program cost?
- There is no cost to Service Providers.
- Identity Providers pay an annual fee (that is in addition to the annual InCommon fee). Fees are tiered and there are discounts for the first three years the Assurance Program is open.
Which Service Providers are planning to require an Identity Assurance Profile?
Identity Assurance is useful across the academy, including research and administrative-related services:
- National Student Clearinghouse for financial aid reporting and access for students and financial aid staff.
- CILogon access to CI services such as Open Science Grid.
- Research Virtual Organizations such as LIGO.
- Federal grant submission programs.
How can I stay up-to-date on Assurance Program developments?
Join the assurance list. Send email to sympa@incommon.org with this in the subject: subscribe assurance.
Is there a glossary of terms available?
Yes. You can see a detailed glossary here on the Assurance web.
Certification
What does my organization need to send to InCommon to apply for certification?
You will need to provide a summary of the audit report as outlined in the Identity Assurance Assessment Framework including your auditor's qualifications and a complete Assurance Addendum to the InCommon Participants Agreement. You can learn more on the Join page.
What does InCommon do after it has received my application?
- The Assurance Manager verifies completeness and works with you to have everything in order before sending it to the Assurance Advisory Committee (AAC) for review.
- The AAC may also have questions during the review process and, if so, will ask the Assurance Manager to contact you.
- Assuming your application is approved, the AAC will send a recommendation of approval to Steering.
- Once approved by Steering, the Assurance Addendum to your Legal Agreement will be countersigned by InCommon and your Identity Assurance Profile qualifiers queued to be added to metadata.
- Your admin will be sent a note before and after the qualifier(s) is added.
- Finally, the Assurance Manager will email you regarding your new certification.
If I have questions about practices, where can I go?
- Ask your peers for their suggestions on assurance at incommon.org email list. Using this approach, you will receive more-detailed information and can discuss pros and cons of the various methodologies.
- Review the practices on the Community Contributions Wiki
- Send a note to Ann West, the InCommon Assurance Manager (awest at internet2.edu) and she will consult with the Assurance Advisory Committee (AAC). While the AAC cannot provide official approval of your practice and reserves the right to review your application in total once submitted, the AAC is interested in helping IdP Operators (IdPOs) to be certified and will do what it can to assist.
Do you have resources available for our auditor to use?
Not yet, but we’re assembling an auditor’s toolkit.
We don't have an internal auditor. What should we do?
We will be publishing a list of third-party auditors. In the interim, please contact admin AT incommon.org for suggestions.
How long will it take to receive an answer about our application for certification?
The process takes roughly one month to complete. If it is expected to require more time, the InCommon staff will contact you.
How long does certification last?
If your organization doesn't change any processes, technology, or operations that support your Assurance Certification, your campus is certified for three years. If you change anything relating to the IAP for which you applied, see the process outlined in the Identity Assurance Assessment Framework. When you are certified, InCommon will send you the date of expiration so you will have that for your records. We will also notify you and remind you to submit your documentation when your certification time period nears expiration.
If we change our infrastructure, will we need to do another audit?
It depends on what you are changing. You will need to notify InCommon in advance of your change implementation as noted in the Identity Assurance Assessment Framework and Identity Assurance Profiles. The AAC will review your changes and get back to you. If the new implementation is significantly different than the one audited for your application for certification, then yes, the AAC may require an incremental or possibly full audit. If you need to do a full audit and your changes are approved, InCommon will update your expiration date to be three years from the approval date.
How do we express Assurance over the wire?
Assurance is expressed using SAML2 AuthnContext, not attributes. For information on how to configure your system, see the Assurance Technical Implementation Considerations.
How does my IdP metadata get updated with the Identity Assurance Qualifiers?
Once certified, InCommon will insert the appropriate Identity Assurance Qualifiers into your metadata for Service Providers to check your official status.
Profile-related Questions
If my organization is certified for Silver, can it assert Bronze?
Yes, if your IdP is certified for Silver, you can assert both Bronze and Silver Qualifiers.
If the Service Provider is asking for Bronze, can I assert Silver and get access?
No. In current practice, if the SP requests Bronze, you must sent the Bronze Qualifier.
Have any organizations been qualified as InCommon Bronze or Silver?
The program opened February 29, 2012. Several InCommon participants have been working intensively on moving their IdP operations toward compliance. We expect our first applications in the Spring of 2012.
Do all of an organization's users need to be qualified at Silver for an IdP to qualify at Silver?
No. In most IdP organizations there will be users who have been identity proofed and possess Silver credentials and others that have not. The Identity Provider must only assert Silver Qualifiers for those individuals who have gone through the related processes and possess the appropriate credentials.
We have suggestions for the Identity Assurance Profiles or/and the Identity Assurance Assessment Framework. Where should we send them?
You can forward them to the Assurance Manager (awest AT internet2.edu) for submission to the Assurance Advisory Committee. The (AAC) is responsible for alerting the InCommon Steering Committee of new requirements and maintaining errata.
What happens when InCommon revises the profiles?
InCommon may revise the Framework and Profiles and will communicate with the Community about the changes. Identity Providers will have at least six months to come to compliance with the new standard depending on the scope of the new requirements.
InCommon
is operated by