e-Authentication in Higher Education e-Authentication in Higher Education

TheThe

ProjectProject

Presenters:Presenters:

Tim CameronTim CameronNational Council of Higher Education Loan ProgramsNational Council of Higher Education Loan Programs

Tim BornholtzTim BornholtzThe Bornholtz GroupThe Bornholtz Group

The Meteor StoryThe Meteor Story

What is Meteor?What is Meteor?

Web-based network for aggregated real-time Web-based network for aggregated real-time inquiry of financial aid informationinquiry of financial aid information

One stop, online web serviceOne stop, online web service Collaborative effort of the FFELP communityCollaborative effort of the FFELP community Freely available software and access to the Freely available software and access to the

networknetwork Customization options are availableCustomization options are available

In the beginning….In the beginning….

Pre-Meteor Environment (1980’s & 1990’s)Pre-Meteor Environment (1980’s & 1990’s)Lenders, Guarantors, Servicers, Schools and Lenders, Guarantors, Servicers, Schools and

others all offered independent web servicesothers all offered independent web servicesRequired multiple loginsRequired multiple loginsLow level of security: Low level of security:

Many required only SSN and DOB to access Many required only SSN and DOB to access financial aid award data!financial aid award data!

In the beginning….In the beginning….

Department of Education Modernization Department of Education Modernization PlansPlansPerformance Based Organization approved Performance Based Organization approved

with Higher Education Amendments in 1998with Higher Education Amendments in 1998Modernization BlueprintModernization Blueprint

Released September 30, 1999Released September 30, 1999 Second Edition - 2000Second Edition - 2000 Third Edition – 2001Third Edition – 2001 Fourth Edition – 2002 Fourth Edition – 2002

In the beginning….In the beginning….

FFELP Providers SolutionFFELP Providers SolutionSpring 2000: CEO meeting sponsored by Spring 2000: CEO meeting sponsored by

NCHELPNCHELPCritical decisions:Critical decisions:

Create an information network to provide Create an information network to provide aggregated financial aid information.aggregated financial aid information.

Foundation PrinciplesFoundation PrinciplesOpen SourceOpen SourceOpen CollaborationOpen CollaborationFreely AvailableFreely AvailableControlled Participation NetworkControlled Participation Network

Meteor TodayMeteor Today

14 Points of access to the Network14 Points of access to the Network20 Data providers20 Data providersSchool Authentication AgentsSchool Authentication AgentsSeveral custom implementationsSeveral custom implementations

Meteor Participant TypesMeteor Participant Types

Organizations that implement the Meteor Organizations that implement the Meteor softwaresoftwareAccess Providers (AP)Access Providers (AP)Authentication Agents (AA)Authentication Agents (AA)Data Providers (DP)Data Providers (DP) Index Providers (IP)Index Providers (IP)

The Meteor ProcessThe Meteor Process

One

Two

Access Provider

Data Providers

Student/Borrower or

Financial Aid Professional

orAccess Provider Representative

orLender Three

Index Provider

UsersFederated

AuthenticationProcess

Each participant is required to register, sign a Each participant is required to register, sign a participation agreement, and submit policies and participation agreement, and submit policies and procedures surrounding their authentication procedures surrounding their authentication process.process.

The Meteor Team Leads review the policies and The Meteor Team Leads review the policies and procedures and assign a Level of Assuranceprocedures and assign a Level of Assurance

Meteor uses a centralized LDAP server to contain:Meteor uses a centralized LDAP server to contain:• Public keys of all participantsPublic keys of all participants

• Network status information (active, pending, suspended)Network status information (active, pending, suspended)

• Contact InformationContact Information

The Meteor RegistryThe Meteor Registry

Meteor Authentication Meteor Authentication Objectives & ProcessObjectives & Process

Provide a flexible, easy to implement Provide a flexible, easy to implement authentication system.authentication system.

Ensure compliance with the Gramm-Leach-Ensure compliance with the Gramm-Leach-Bliley Act (GLBA), federal guidelines, and Bliley Act (GLBA), federal guidelines, and applicable state privacy lawsapplicable state privacy laws..

Assure data owners that only appropriately Assure data owners that only appropriately authenticated end users have access to data.authenticated end users have access to data.

Ensure compliance to participant organizations Ensure compliance to participant organizations internal security and privacy guidelines.internal security and privacy guidelines.

Meteor’s Authentication Meteor’s Authentication ObjectivesObjectives

The Meteor Authentication The Meteor Authentication ModelModel

Each Access Provider uses their existing Each Access Provider uses their existing authentication model (single sign-on)authentication model (single sign-on)

Meteor levels of assurance are assigned at Meteor levels of assurance are assigned at registrationregistration

Meteor Level 3 complies with the NIST Meteor Level 3 complies with the NIST Level 2Level 2

User is required to provide an ID and a User is required to provide an ID and a shared secret. shared secret.

Assignment and delivery of shared secret Assignment and delivery of shared secret must be secure.must be secure.

Assignment of shared secret is based on Assignment of shared secret is based on validated information.validated information.

Reasonable assurances that the storage of Reasonable assurances that the storage of the IDs and shared secrets are secure.the IDs and shared secrets are secure.

Meteor’s Authentication Meteor’s Authentication RequirementsRequirements

Access provider must ensure appropriate Access provider must ensure appropriate authentication for each end user and provide authentication for each end user and provide traceability back to that usertraceability back to that user

Access provider must provide authentication policy to Access provider must provide authentication policy to central authoritycentral authority

Access provider must provide central authority with Access provider must provide central authority with 30 day advance notice of changes to authentication 30 day advance notice of changes to authentication policypolicy

Access provider must agree to appropriate use of Access provider must agree to appropriate use of datadata

Meteor’s Authentication Meteor’s Authentication RequirementsRequirements

Meteor Technical Meteor Technical ArchitectureArchitecture

Meteor Technical Meteor Technical ArchitectureArchitecture

Apache SOAPApache SOAPSAML 1.0 – custom implementation for SAML 1.0 – custom implementation for

MeteorMeteorApache XML SecurityApache XML SecurityCentralized LDAP server with:Centralized LDAP server with:

Valid participant statusValid participant statusX.509 public keyX.509 public keyContact infoContact infoValid authentication methodsValid authentication methods

Role of end userRole of end userSocial Security NumberSocial Security NumberAuthentication Process IDAuthentication Process IDLevel of AssuranceLevel of AssuranceOpaque IDOpaque IDOrganization ID and TypeOrganization ID and Type

SAML Assertion AttributesSAML Assertion Attributes

Meteor Security - Meteor Security - AuthenticationAuthentication

Each Access Provider authenticates the Each Access Provider authenticates the users at their local site.users at their local site.

Local security policy is reviewed by Meteor Local security policy is reviewed by Meteor security teamsecurity team

Each provider (Access, Index, Data) is Each provider (Access, Index, Data) is authenticated with X.509 certificates authenticated with X.509 certificates stored in a secure centralized serverstored in a secure centralized server

Meteor SecurityMeteor Security

Access Control Access Control Coarse grained role-based access controlCoarse grained role-based access control FAA can view any SSNFAA can view any SSN Borrower can only see their SSNBorrower can only see their SSN CSR can only see SSNs where they are a partyCSR can only see SSNs where they are a party

Data confidentialityData confidentiality All production requests are encrypted with SSL/TLSAll production requests are encrypted with SSL/TLS Data not stored at Access ProviderData not stored at Access Provider Legal agreements in place to determine who can Legal agreements in place to determine who can

access the networkaccess the network

Meteor Security - Meteor Security - NonrepudiationNonrepudiation

SAML assertion has:SAML assertion has: Issue InstantIssue Instant Not Before timeNot Before time Not On Or After time – Default range is 4 hoursNot On Or After time – Default range is 4 hours Digitally signed with creator’s X.509 certDigitally signed with creator’s X.509 cert

Each request has:Each request has: Timestamp for issue instantTimestamp for issue instant Default validity is 15 secondsDefault validity is 15 seconds Digitally signed with Access Provider’s X.509 certDigitally signed with Access Provider’s X.509 cert

Meteor Logging and Meteor Logging and MonitoringMonitoring

Each provider keeps logs for a minimum of Each provider keeps logs for a minimum of one yearone year

Each SAML assertion has an opaque IDEach SAML assertion has an opaque IDSimilar to a useridSimilar to a useridCan be used to trace a request through every Can be used to trace a request through every

step of the processstep of the processHelp Desk monitors network for unusual Help Desk monitors network for unusual

traffictraffic

For More Information….For More Information…. Interactive Web Site Launched Interactive Web Site Launched

www.MeteorNetwork.org Audio presentationAudio presentation Interactive demonstration version of the Interactive demonstration version of the

softwaresoftwareLink to the Meteor project siteLink to the Meteor project site

Project DocumentationProject Documentationwww.NCHELP.org/Meteor.htm Implementation InformationImplementation InformationCurrent Provider ListCurrent Provider ListUser Guide and other documentationUser Guide and other documentation

Tim CameronTim CameronNCHELPNCHELPmeteor@nchelp.org

Tim BornholtzTim BornholtzThe Bornholtz GroupThe Bornholtz Grouptim@bornholtz.com

Contact InformationContact Information