Versions Compared

Old Version 3

changes.mady.by.user James Basney

Saved on

compared with

New Version 4

changes.mady.by.user Alexander Withers

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel

Document Name: NCSA Identity & Access Management Policy
Version: 1.23
Accountable: Adam Slagell
Authors: Adam Slagell, Alex Withers
Approved:   July 12Sept 6, 2018

Table of Contents
outlinetrue

...

Federated & External Identity Providers

Approval of new Identity Providers

The NCSA Information Infrastructure Board (IIB) will review requests to accept new Identity Providers (IdPs) for NCSA services. Considerations will be made with regard to security, the paricular service, technical challenges, and benefits to the Center. 

Currently Recognized External Identity Providers

  • University of Illinois at Urbana-Champaign
  • XSEDE Federation

Exporting NCSA Identities

...

NCSA does not sell any user information to third parties.

Accessing External Services

Amazon Web Services

Access to Amazon Web Services (AWS) is available through the University of Illinois (see: https://aws.illinois.edu).

AWS Instances

Whether an NCSA managed asset is hosted in the cloud or on site, all NCSA security policies still apply to the individual hosts including this IAM policy. NCSA IAM services, such as, Kerberos, LDAP, shibboleth, and Duo are available and should be used the same as they would for a local host.

AWS Console

Amazon also provides the ability to use other IAM systems for the management console besides local Amazon accounts. The following methods are acceptable for authenticating to the AWS Management Console:

  1. Campus authentication via https://shibboleth.illinois.edu/ (enabled by default for University of Illinois AWS accounts). Duo MFA must be enabled for the campus account.
  2. NCSA authentication via https://idp.ncsa.illinois.edu/ (requires custom setup: contact help+idp@ncsa.illinois.edu for assistance). Duo MFA must be enabled for the NCSA account. This method supports NCSA external collaborators creating NCSA accounts at https://identity.ncsa.illinois.edu/.
  3. An AWS User account, for emergency access in case illinois.edu is offline, to meet specific service level agreement obligations. The password for this account must: 1) meet NCSA password requirements, and 2) be stored in LastPass Enterprise in a shared folder owned by an NCSA employee. The owner of the shared folder is responsible for keeping the LastPass Enterprise shared folder membership up-to-date and changing the shared password whenever someone is removed from the shared folder.

The following methods are acceptable for managing authorization to the AWS Management Console:

  1. For campus identities, map Active Directory group memberships to AWS Roles. An Admin group/role is set up as part of University of Illinois AWS account setup.
  2. For NCSA identities, map LDAP group memberships to AWS Roles (requires custom setup: contact help+idp@ncsa.illinois.edu for assistance).
  3. Access to the AWS User account, for emergencies during illinois.edu outages, is managed via a LastPass Enterprise shared folder, shared only with specific personnel who are responsible for emergency operations.

Policy for Accepting Federated IdPs

Identities from external providers may be used for access to applications with baseline authentication needs, i.e., without requirements for higher level of assurance such as multi-factor authentication or face-to-face identity vetting. Only one account per IdP can be bound to a user's NCSA identity. The following external identity providers are currently supportedNCSA resources may choose from the following valid supported identity providers; the default for a resource is to only access NCSA identities and approval is needed from the CISO to allow the use of linked identities:

  • identity providers in the InCommon (incommon.org) federation, including research and education providers in the United States and international providers from eduGAIN (edugain.org) member federations.
  • open access identity providers: Google (accounts.google.com), GitHub (github.com), and ORCID (orcid.org)
  • identity providers operated by NCSA industry partners

Support for higher level of assurance from external identity providers requires custom configuration. Contact help+idp@ncsa.illinois.edu for assistance with higher level of assurance use cases.  Changes in the list of acceptable federated IdPs is approved by the CISO.


...

Exceptions Process

There are exceptions and special cases to any policy. Requests for exceptions should be made to the NCSA Security Office and may be approved by either that office or the NCSA Director's Office.

...