OpenID Connect is used in a number of places for strong identity assurance, i.e. the Relying Party uses the end-user claims provided by an OP to verify the user’s identity in order to fulfil regulatory or legal requirements, such as anti-money laundering, or in the context of fraud Prevention.

As one fundamental challenge, OpenID Connect (and other standards in this field) do neither reveal what trust framework the OP complies with for collection, verification, and maintenance of particular end-user claims nor do they communicate to the Relying Party important metadata about the verification process, such as when the verification took place, what evidence was checked and using what methods.

This information is essential for a Relying Party seeking to use OpenID Connect for strong identity assurance in order to fully document the assurance level and circumstances under which data was obtained for auditing purposes and to map the assurance level of the OP (or generally speaking the claim source) to the expected trust framework and assurance level of the Relying Party. For example, a RP could intend to use data verified and maintained under anti-money laundering law in the context of the local telecommunications law. Whether this is possible might depend on the verification method or evidence employed for a particular user as some methods allowed in the anti-money laundering context might not be allowed in the telecommunications context.

The eKYC & Identity Assurance Working Group at the OpenID Foundation is working towards OpenID Connect extensions for supporting strong identification use cases. The working group started in January 2020 and took over and continues the previous work on OpenID Connect for Identity Assurance (https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html), which started in the AB/Connect Working Group in early 2019.

OpenID Connect introduces the “verified_claims” structure that is used as a container to convey a set of end-user claims along with the related metadata about trust framework, time, evidence, and methods.

The following example shows a user info response containing, beside other claims, verified claims maintained by the OP in accordance with the German Anti-Money Laundering law, indicated by the trust_framework value “de_aml”.

As illustrated by the example, verification data and end-user claims are conveyed in the separate sub-container elements “verification” and “claims”. The example also illustrates that the concept allows to mix verified and other claims in the same assertion while retaining a clear boundary between them.

Verified claims can also be provided through aggregated and distributed claims, making OpenID Connect for Identity Assurance a suitable tool for combining verified claims from different sources while keeping the clear relationship between the end-user claims and the assurance levels and metadata.

OpenID Connect for Identity Assurance recently passed the 2nd Implementers Draft voting and is already implemented in a number of products and services. It has been tested against the requirements from different jurisdictions by the broad membership of the working group from Asia, Europe, and North America.

As the current specification has gotten stable now, the working group is looking into further topics, e.g. identity assurance for legal entities, and intends to work towards conformance testing for OpenID Connect for Identity Assurance.

Anyone interested in the topic of strong identity assurance and wanting to contribute is highly welcome. The working group holds a weekly call on Wednesday at 3 pm UTC. More information can be found at the working group page https://openid.net/wg/ekyc-ida/ .

Torsten Lodderstedt

CTO, yes.com

When Web Browsers Attack – Browsers, Privacy Preservation, and Identity Flows

The world of web browsers is grappling with a deceptively simple mandate: Protect users from third-party tracking. It’s like a motherhood-and-apple-pie statement: having third parties track individual behavior is a significant issue. Legislation around the world agrees that third-party tracking is a Bad Thing.

But what happens when the technology used by advertisers for third-party tracking is the same technology used by enterprise and academic identity federations to support SSO? Suddenly, that simple mandate of “protect against third-party tracking” can potentially disrupt scholarship and business in significant ways. During Identiverse 2020, Vittorio Bertocci presented “Browser Features vs Identity Protocols: An Arms Race?” If you’re not familiar with how third-party tracking works, and how it is indistinguishable (as far as the web browser is concerned) from identity flows, this 30-minute session is something you need to view.

The good news is that even the browser vendors are still in the early stages of figuring out exactly what they want to do. That allows the broader IAM community to engage in the conversation and ensure that all the major use cases are considered. Discussion on this topic has, at least in part, moved into the W3C’s Web Incubator Community Group through Google’s webID project (https://github.com/WICG/WebID). While the webID developers have, to date, focused solely on the consumer space, issues have been raised to highlight enterprise SSO and academic federation requirements. The good news is, now that this discussion is happening in a public forum, more people can get involved. The bad news is that WICG attracts web API developers; additional expertise will almost certainly be needed in the privacy space and standards development.

The browser vendors are expected to be responsive to the issue of third-party tracking. Given they are still very early in the game of figuring out exactly what they want to do means now is the time for interested parties to get involved and be a part of figuring out a solution that will work for more than just one use case. IAM practitioners, particularly those that support their enterprise SSO environment or who are engaged in supporting academic research and scholarship, should get involved now to help build a robust and implementable solution for all.

Heather Flanagan

Translator of Geek to Human

Spherical Cow Consulting, LLC

News from the Amsterdam Digital Identity Meetup

During the spring and summer the Amsterdam Digital Identity meetup has been running a series of talks around modern authentication and how the different authentication options relate to each other.

We started in January with Multi Factor Authentication where Brian Kloof shared his experience of rolling out Azure AD MFA at a global retailer. In March we learned more about Windows Hello for Business where Pim Jacobs talked about how you implement WHFB in enterprise environments. Finally we got a run through of the FIDO2 standard and how to implement Yubikey in an Azure AD centric enterprise from Per Erngard.

The main conclusion from these talks is that each technology is one piece of the puzzle of minimizing the usage of passwords within an enterprise. MFA will add an additional layer of security on top of password. The main challenge with MFA is the roll out, especially in Corona times as the usual approach of requiring enrollment on corporate premises or via VPN is a lot harder to implement when the majority of the staff is working from home.

Some of our members have chosen to soften the enrollment requirements to get staff onboarded despite the downside that you lose the strong onboarding. Many enterprises are taking advantage of the integration with self service password reset functions that more and more MFA vendors are offering to get an improved user experience and lower help desk password reset call volumes.

Windows Hello For Business is getting increasingly popular and the consensus from our members is that it is a very good option for staff that are provided with company managed Windows 10 laptops that have Windows Hello compatible cameras or fingerprint readers. Some of our members have been trying to roll this out using PIN codes, but that has not been successful as the user experience improvement simply is not big enough.

FIDO2 offers an interesting way of providing very strong authentication for users who do not have personal laptops, but share kiosk style machines. This approach is especially interesting for retailers, hospitality, and healthcare companies that have a lot of staff who are not assigned a personal laptop and who need to be able to quickly log in and log out. If you have an Azure Active Directory centric environment the FIDO2 integration offers an attractive way to increase the authentication strength for key identities and applications.

In the fall we are planning talks on identity analytics in cooperation with Forgerock as well as external identities in AAD with Microsoft. We are also hoping to be able to get back to physical meetings but the online meetings have been very well attended and have facilitated some very good discussion. If you are interested and want to learn more, visit https://www.meetup.com/Amsterdam-Digital-Identity-Meetup-Group/ and sign up.

Martin Sandren

Domain Architect IAM at Ahold Delhaize

The post IDPro Newsletter – July 2020 appeared first on IDPro.

Details of the IDPro Virtual MeetUps can be found in the #general channel in IDPro’s Slack workspace. If you need an invitation, please contact director@idpro.org.

Next IDPro Virtual MeetUp

• October 15, 2020 at 5pm PDT/8pm EDT/10am AEST (12am UTC) 

Upcoming IDPro Virtual MeetUps

• November 19, 2020 at 6pm CEST/5pm BST/12 noon EDT/9am PDT (4pm UTC) 

• December 17, 2020 at 5pm PDT/8pm EDT/10am AEST (12am UTC) 

If you’re interested in volunteering to coordinate a global virtual meetup in your time zone, please contact events@idpro.org. In particular, assistance in Europe, Asia and Australia time zones are very welcome!

IAM MeetUps 

If your local IAM MeetUps have gone virtual recently, let us know! We can help promote your event on Twitter, LinkedIn and in the IDPro Slack workspace. If you would like to share a story from your IAM MeetUp, please reach out to editorial@idpro.org and share your news with the rest of our community. 

For additional details and a list of known user groups, check out the IAM User Groups page here.

Follow IDPro on Twitter and LinkedIn for more updates and join the conversation with other members in IDPro’s Slack workspace in the #general channel. 

Cheers!

The post Let’s Gather Together…in a socially distanced, virtual sort of way appeared first on IDPro.

Recently, on a flight over some distant ocean (it matters not where), I had the opportunity to re-watch Ocean’s Eleven for approximately the 1,623^rd time. It’s the classic heist movie: a small group of people with a plan — and a killer soundtrack — craft something extraordinary. As the high-oxygen environment deepened my insight, I realized that it was also the blueprint for something no less ambitious: starting your own identity-focused meetup. 

In the summer of 2018, Mike Trachta, David Lee, and I started just such a gathering in the Austin area. What follows is a pairing of our experience and Hollywood-produced cinematic excellence. While our experience may not be universal, the hope is that it would inspire you to create your own local identity community. (Note: it may help to visualize us as looking like Brad Pitt, Matt Damon, and George Clooney for the duration of this article. We’re onboard with that.)

Obviously, for this approach to be intelligible, you have to have seen Ocean’s Eleven at least once. Given the box office statistics, most of humanity has by now — but if you’re one of those that somehow missed it, go fire up your streaming service of choice and watch it. 

No, really. We’ve got nothing but time here.

All done? Great. Let’s get started.

First, we’re going to need that soundtrack I mentioned before. Find it, and before you read any further, fire up the first track, “Boobytrappin.” Feel the groove and let it be your guide to identity success. The rest of the songs from the movie will lead us through a five-step process. As you read each step, play the associated song for inspiration and a deeper understanding of the concepts in play.

Get a Core Together 

“Pickpockets”

“Ten oughta do it, don’t you think? You think we need one more? You think we one more. Alright, we’ll get one more.”  Aside from being the best line from the movie (fight me), George Clooney highlights the key first step: pulling together a core group of people.

    Building a community can be a difficult task, and it becomes much easier with a small group to share the load. In July of 2018, Mike, David and I got together several times for drinks and dinner with the common goal of starting up a group associated with IDPro. This gave us time to understand our individual strengths and to figure out what we wanted the group to look like. After a few meetings, we figured out that we wanted to have solid identity content with good networking potential — and that we wanted it to reflect Austin culture as much as possible. That meant a relaxed agenda and attitude; we also recognized that our original ideas would evolve over time, which freed us up from feeling like we had to determine everything up front. 

    Our advice would be to get a core of at least three people together who want to see a group become reality. Over the course of the past year, it’s been helpful to have more people available to help host — especially as conferences or other travel pulls us away from Austin. Adding others along the way who are interested in helping out can spread the burden further and bring new energy and ideas. This happened for us with the delightful addition of Catherine Schulten in May of 2019.

While we wanted to prevent being locked-in to any set ideas, we also realized that a coherent plan would be helpful, which is what we built over the course of a rye old-fashioned (or two) and bar food. 

Develop Your Plan

“The Plans”

Three Casinos. The best security and safes in the world. A difficult target, but with a plan, anything is possible. Creating a new identity meetup is a challenging prospect that becomes more manageable with a concrete strategy.

As we laid out our proposal for the Austin Identity Professionals Meetup, we wanted to keep it simple and achievable. We settled on meeting once a month, with a rotating location (using WalMart’s Technology center in downtown, and out by the lake at SailPoint’s main offices.) This sponsorship gave us a jump start on the process — rather than having to crowdsource our funding, we were able to demonstrate the potential value to our employers. 

As far as the content, we knew that there were enough identity-minded people and technology companies to support a quasi-regular guest speaker. We’ve had a talk about MFA from (Yubico), a discussion about usability from Wendy Nather (Duo), along with a few other guests. Education and growth were the primary goals rather than, say, hawking a product or a singular approach to a problem.

    Planning the actual meetup is not rocket science; having a time, place, and topic or speakers lined up are table stakes for getting a meetup off the ground. It also helps to have something to make the time spent together more enjoyable, like lovely beverages and food — it worked well in our original planning sessions, and so we incorporated it into the group meetings also.

Eat, Drink, and Be Brad Pitt

“Little Less Conversation”

    Mr. Pitt eats in almost every role he’s been in, and Ocean’s Eleven is no exception. In fact, in one particular scene he consumed forty two shrimp during filming. His voracious method acting is a reminder that free food and drink attracts people like a pristine overlook attracts “influencers.”

Content and networking were components of what we wanted to create, but community was first and foremost. Free foodstuffs meant that people would come earlier and leave later, that they would have more time to be known within the group. The community would grow more rapidly when properly fed. It is a universal truth that people cannot live on identity alone. 

In short, be like Brad. Food and drinks are not optional in our opinion, and constant eating may launch you into an international career in film. (That last part might only apply to Mr. Pitt.)

Market All the Things

“Planting the Seed”

    This song can be summarized in a single word: infectious. It will be in your brain for a few days, and you’re welcome for that. That kind of memorability is your goal for your group — publicity and marketing is your friend when attempting to create a new identity community.

    In Austin, we’ve tried different publicity routes with mixed results. We have our own meetup site, which helps with coordination and discussion for people interested in coming. We’ve promoted it on Twitter, LinkedIn, and various other social media sites as well. Ironically, I’ve found that the best route to adding people to the community is through personal connection and invitation; you know more people than you think, and inviting them one by one is a good route to building up a group rapidly. By and large, we have decent attendance — we average about twelve to fifteen people per meeting, with high water marks of around thirty at particular times of the year. 

    People can’t join your gathering unless they hear about It, and they won’t hear about it unless you put the effort into publicizing it. That publicity opens the group up to growth and change.

Be Open to Change

Ocean’s Twelve, Ocean’s Thirteen, Ocean’s 8 Soundtracks

    Ocean’s Eleven, despite being a remake, was a hit. So, what did they do? They did what anyone would do in their position. They made sequels. And then they made a sequel of sorts with an all-female cast: Ocean’s 8. All of these were successful, with some claiming that Ocean’s 8 was the best of the group.

    These variations in plotline, theme, and casting choices illustrate that change is not something to be feared, but rather to be expected. Your original plan will likely need modification at some point. Set a period of time – say a half year, or a year — to reevaluate what is working and what’s not. We’ve had to do this a few times over the past year, delaying meetings, changing format depending on speaker availability; we’ve felt our way along, and we’ve enjoyed our times together because we haven’t been chained to a format set in stone.

    That flexibility leads to the final step in creating an identity community, independence.

Don’t Follow My Advice (Completely)

“Claire de Lune”

Ok, I . . . misled . . . you in the opening. There are actually six steps to success. This last one is counter-intuitive, since I just wrote a thousand words on how to build an identity meetup.

Our experience is helpful but not necessarily proscriptive. There is no one set way to start up any group hangout. Starting an identity community is like having a baby — they are all unique. Our meetup looks different than those across the country — and each one should be customized for their local environment. 

Take lessons from what we (and others) have created, and then go and build your own without trying to crowbar your reality into a preset mold. Your identity meetup is not defined by form or function, but rather by the group of people that comprise it. Do what works for your group, at your time, and in your location.

Let the melody of this track wash over you and consider the end of Ocean’s Eleven. After all of the lines are spoken, all of the food is consumed, and the music slowly dies away, the members of the group wander away one by one into the “real world,” enriched by their experience together. May your identity gathering do the same for your community.

Mike Kiser
Global Strategist & Evangelist
Office of the CTO
SailPoint

_____________________________

^[1] The author does not hold this position, as he regards the first remake of Ocean’s Eleven to be the high-water mark of these films.
²It must be noted, however, that some babies are, indeed, ugly. But not your baby, of course. Never yours.

The post How to Build an IAM Group appeared first on IDPro.