Extending enterprise boundaries complicates compliance as standards, policies, and processes are usually different between domains. As a result, to become a member of a federation, the participants usually have to meet a baseline of standards established by the “hub” so that a “trust framework” can be established. Components to the framework define:
- The rights and responsibilities of the participants
- Common policies and standards
- Common processes and procedures that provide assurance, and
- The level of risk associated with the transaction types of its participants
Often federation deployments are thought of as just implementing the technology. This may work for a few partners but it quickly becomes apparent that the investment of properly defining the on-boarding and certification processes beforehand pays dividends later as a federation scales.
As part of our offering, FuGen is able to provide customers with the expertise to develop the processes and policies for organizations besides helping them with the implementation of the federation.
Once deployed, our MISPTM platform can then be used to certify that the policies and standards, reflected in the protocol messaging and defined within a “deployment profile”, are being enforced.
By capturing and parsing the messaging between federation endpoints, our platform can verify identity assertions/claims, identity token format verification, encryption and digital signatures, authentication methods, end-to-end ID mapping, claims-based attributes, metadata mapping, and assurance level mappings against defined criteria.
The certification reports provide an auditable record to show, for example:
- Federation Assurance: federation endpoints are adhering to the protocol interoperability requirements stipulated by the specific “deployment profile”. Examples of Government profiles we already support include: FICAM SAML2.0, FICAM OpenID, Denmark OIO SAML2.0, eGov2.0, and the SAML2.0 profiles for GSA, Canada and Finland.
- Identity or Attribute Assurance: no “leakage” of personally identifiable information or only information necessary to complete a transaction is passed to an endpoint. The reports validate that the standards of the trust framework protecting the privacy of an individual is validated as, for example, is required by HIPPA regulations.
- Levels of Assurance (LOA): the level of risk associated with the transaction types is appropriate. Several elements detailed in the report may reflect the security controls useful for regulatory compliance such as with PCI/DSS, HIPPA, or SOX.
- SAS-70 Type 1 certification compliance
All certification reports are archived for audit purposes.