Convender: Pieter van der Meulen
Notetaker: John Chapman
See pdf for details:
start with normal authN and depending on the service additional authN is requested
Surf has hub in middle (SURFConext) that allows them to do lots of things
An IdP could do this themselves, but as SURF is a full service federation and there is no standard way for adding this functionality SURF is looking at a service to handle the registration and step up AuthN service - SURFsure 2
not doing VPN access initially as there is no standard way of working with VPN gateways
NIST and STORK both have 4 LOA
SP requests authN level in authN Request to SC gateway that asks the IdP
So SURFsure is another proxy just like SURFConext acting as an SP IdP gateway
SPs will need to choose to connect to the SURFSure hub if they need to request LoA2
Slides show an architecture that SURF is intending to implement this year
In person registration is actually easier and more efficient as the sites that want to implement aren't allowed to check official registries
SURFnet has delegated registration to institutions so trusted parties at institutions are authorised to register individuals that require 2FA.
CERN requires LoA2 AuthN but LoA4 registration. This is pretty much what SURFnet does.
Step up authN might not be as easy in non-hub and spoke federations...
SURFnet management plan Q2 pilot Q3 production.