Trust and Internet Identity Meeting Europe
17.-20. Feb 2020: Workshops and Unconference

E-sign & Forced Reauthentication

(Matthew Economou)

Two not directly coupled components, sync to the point from ldap, complicated, we don’t know whether there are better tools.

How to have the positive attestation, that there is a human behind the keyboard for approving travel requests or other requests, we have the new SharePoint domestication story but on the other side is, how do we do the attestation? We also have another tool, scientific data collection, using RedCap, it also has an electronic signature function. We think, looking at redcap that the URL that you go for signing I could trap and basically signal to shibboleth to do a forced authentication. I am not 100% certain and there is the question, does the customer have the requirement for signatures requiring a higher level of assurance or identity proof perspective, if so, how do we do that? Is asking for a second factor is that possible, if so, is it interoperable, how does it work from shibboleth to SaToSa to home IDP.

You can define what you are looking for, but you don’t need to define it. This is what the Dutch call step up authentication. We are doing that in some systems. We have made a rulebook. We added demands on assurance levels by adding the checklist that you need a list or that or that the user has that.

Albert: How strong do you need the e-signature to be?

It doesn’t need to be strong. 21 CFR part 11, it must support e-signatures, so it doesn’t have to be strong. We could just have them type in their name. The culture in clinical research is that’s not what they are expecting. Our monitors are going to look for something for re-authentication. If I force one or entering a token, SMS that’s probably going to be enough.

A: The practical impact is what you’re proving is that the person in front of the device is the person that signed originally?

Yes. We can’t make that guarantee. Can we actually guarantee that? Probably not.

A: What I am saying is you’re looking for the authentication and that I am signing this.

Chris: Digital signatures that something in the statement. Can you prove that is sufficient and it hasn’t been mutated after the fact? I think some of the questions the size of the audience, 100ds of people? They might come from diff locations. They might not have the capacity to stand up. Type your name and you have some user info there…

Matt: Logistically it’s username/password.

C: You may want to consider is would you just check some row on the table says yes that’s a $50k approval. There is no way to prove it. There is a data rest did what the attestation. Is the userID sufficient?

Most of the people who are doing the approvals we could force them to do a piff card, multifactor auth.

C: The people who have the authority they have the thing that you can invoke. Not worry about the reauthorization story…

That’s diff from the data capture on the clinical studies. There are two use cases. One, they release a fund, done only by a grant manager or a contracting officer. We can force that auth to use a piff card. For everything else, the investigators are going to authorize a consumer for the lab. That auth at the investigator level or the local procurement agent that doesn’t require that level of assurance.

It’s the low-level money.

They are not doing the final approval, just saying “I need this” We don’t want to force that unless we reach that threshold.

Chris: You’re in a strange bind. What you’re looking at is that your procurement, specture from 0$ to very large sum of money will have different increments. It’s all on the workflow design.

The issue with SharePoint, I hate it, but it seems like it works. You’re not supposed to use it as a workflow, but we do.

C: There are very rich stories form the 3rd parties. The profile of the user is insufficient. The saml Profile is insufficient. There isn’t an active domain, it creates in the DB of the site collection. A user profile that has in theory the attributes that you sent in sharepoint.

Albert: I am hearing two separate things, the SAML and the workflow which has nothing to do with authentication and authorization. Which one is the problem?

C: If the profile doesn’t have enough information then the profile will be hobbling along. The fewer most had apps are the more external linkages cost maintenance.

In the long run these are two specific needs, I need a tool that can-do workflows. I have this idea that we will be able to use it for collabs and data sharing. Have it released to a proconsole?

Albert: I will suggest something controversial. I don’t know how viable it is. ServiceNow has a very robust workflow. It has massive issues but it’s a great workflow engine.

C: You can pick your OTS, ticketing systems are state engines.

A: Server isn’t a ticketing engine, it’s how it was originally made, but now it’s a workflow engine. Ticketing is a manifestation of the past. It consumes and creates APIs. The cost of entry is high though.

Matt: At the moment the cost of making sharepoint work has exceeded in labor hours what the ServiceNow might’ve cost. Where do the others scientific collaborations or federations, what do they use?

Scott: They have a guy, he hacks in Perl every time they need one. The workflows can never find everything that worked.

We know we can make it work with ER MAPS but it’s way more expensive than ServiceNow. They tried to force their workflow into Jira.

Ben: there are also opensource projects. You will have to HostEm. Activity, VPMN based kind of solutions. C: BenitaSoft has an open length arm for flows and you can call it as an API workflow. When we do flows on things, we have enrollments for things, some SurfNet stuff. We have a webform and you submit stuff and we do something with it. OTRS which I have federated. If you step back and look at the cost and where my data is, I would lean filling the gaps with sharepoint and augment the data. Built-in workflow which is painful, you are going to need a guy and it’s a business process story.

I have two sharepoint developers and admins and Matthew.

That blend tells me sharepoint.

Nintex has a workflow platform. It was an extra bolt-on to sharepoint. What you do is that you bolt this on, and it has that facility, if you enhance the data maybe you already have enough to use this. What will happen is that these workflows are “I need to solve this problem here or we need a hacker for Perl” Many processes that you will have to do this once in, as a platform story either you are going to buy into the sharepoint view of the story, the lesser of evil of teasing stuff.

Albert: the question in my head is whether you want to continue to sustain sharepoint

One of the reasons why we have such a hostile customer is because our organization decided not to sustain sharepoint a year ago. We found a dev who didn’t like the gov contracting process. We didn’t know anyone who will do SharePoint, but they decided that they will go with sharepoint anyway.

If you will maintain some sharepoint, maintain it. Sharepoint won’t go away, it stayed in the management’s head. It does a lot of things. It’s typical Microsoft. … We tried doing this in student management. Uni work, 100 departments, we had200, 300 professors 8000 in total and we did that with groups and a directory, and we said no you can’t then you not nnn number of groups.