jricher
commented
3 years ago Suggest decline, both IdP discovery and identity brokers are out of scope for this document.
Closed TimSchmoyer closed 3 years ago
jricher
commented
3 years ago Suggest decline, both IdP discovery and identity brokers are out of scope for this document.
TimSchmoyer
commented
3 years ago Hi Justin! Happy to have a discussion. We may want to start with Figure 3-4 as the federation/interoperability mechanism between agencies’ PIV cardholders and if there should be another figure showing an agency’s IdP talking to another IdP or Proxy IdP. Details would still be in NIST SP 800-63C: 5.1.4 Proxied Federation 10.2.3 User Models and Beliefs
jricher
commented
3 years ago Decline, both discovery of "home IdP" and issues around brokers/proxies will be covered in a future PIV Federation SP.
All Fields Are Required
Organization Name (N/A, if individual): Mari Spina mspina@mitre.org
Organization Type (see below for codes): Self
Reference (Include section/paragraph or pdf line number): 7. Federation
Comment (Include rationale for comment): The ability to find the Authoritative Federation IdP services when a user from a non-resident domain is attempting to authenticate may prove valuable in a Zero Trust Architecture. This concept is addressed by the Max.gov FedHub. The Zscaler product refers to an "IdP Redirect" (https://help.zscaler.com/zia/about-identity-providers). The Okta product addresses it as "IdP Discovery" or "IdP Routing" (https://help.okta.com/en/prod/Content/Topics/Security/Identity_Provider_Discovery.htm). Another company, WSO2, defines a "Federation Hub" (https://wso2.com/articles/2018/06/what-is-federated-identity-management/) and Mini-Orange describes the discovery process as "Domain-based redirection to ID" (https://www.miniorange.com/identity-broker-service). Years ago there was even a DHS/DoD backend attribute exchange (BAE) broker proof of concept that addressed this issue.
Suggested Change: Suggest addition of text to allow for the use and integration of an IdP Discovery Service or a Federation Broker to handle the search, discovery, and identification of an authoritative IdPs. An IdP Broker concept is described by: https://csrc.nist.gov/CSRC/media/Projects/Attribute-Based-Access-Control/documents/july2013_workshop/july2013_abac_workshop_ksmith.pdf#page=4.
Continued Rational: In a Zero Trust architecture, there may also be value in allowing multiple IdPs to provide assertions because each may hold attributes about the user that the others do not have. In the future, some IdPs may hold dynamic attributes or computed trust scores.
Organization Type: 1 = Federal, 2 = Industry, 3 = Academia, 4 = Self, 5 = Other